Scaffolding Extensions Plugin Security Update (with New Feat

I just wanted to let everyone know that I found a major security
problem with the Scaffolding Extensions plugin that I develop. There
is an SQL injection vulnerability in the search results function due
to lack of sanitation of user input. If you are using the plugin and
allowing public access to the search feature it provides, I highly
recommend you update the plugin as soon as possible.

The vulnerability is trivial to exploit as evidenced by the following

params[:null].each {|field| conditions[0] <<
#{class_name}.table_name + ‘.’ + field + ’ IS NULL’ } if params[:null]
params[:notnull].each {|field| conditions[0] <<
#{class_name}.table_name + ‘.’ + field + ’ IS NOT NULL’ } if

The latest revision of the plugin, which fixes this vulnerability, is
available at:

svn: svn://

I found this bug as I was finishing up a bunch of new features for the
plugin (which are also included in the latest revision), such as:

  1. Pagination of the search results
  2. Only update attributes specified in the scaffold (no need for
    attr_protected or attr_accessible)
  3. Allow outputing the code generated by the scaffold method instead
    of evaluating it (a poor man’s generator)
  4. Allow choosing the visible name for each attribute
  5. Use HTML label tags in forms
  6. Specify different fields used for each scaffold type (i.e. some
    fields can be shown but are not editable)
  7. Add some testing code that allows for limited testing of the plugin
    in your environment
  8. Various bug fixes and minor enhancements

I apologize for the serious vulnerability this plugin exposed,
especially since the vulnerability is fairly obvious just by looking
at the code. I’ll be more diligent in the future.