Hi all !
I’d like to confirm if I’m reading correctly.
It seems ActiveRecord::Acts::Taggable::SingletonMethods#find_tagged_with
is vulnerable to SQL injection attacks:
def find_tagged_with(options = {})
options = { :separator => ’ ’ }.merge(options)
tag_names = ActiveRecord::Acts::Taggable.split_tag_names(options[:any]
|| options[:all], options[:separator])
raise “No tags were passed to :any or :all options” if
tag_names.empty?
o, o_pk, o_fk, t, t_pk, t_fk, jt = set_locals_for_sql
sql = “SELECT #{o}.* FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} =
#{t}.#{t_pk}
AND (#{t}.name = '#{tag_names.join(”’ OR #{t}.name=’")}’)
AND #{o}.#{o_pk} = #{jt}.#{o_fk}"
…
end
Notice tag_names is directly interpolated into the generated SQL ?
First of all, am I seeing things correctly ? If so, we should simply
be calling #quote here, right ?
Bye !