I just wanted to let everyone know that I found a major security
problem with the Scaffolding Extensions plugin that I develop. There
is an SQL injection vulnerability in the search results function due
to lack of sanitation of user input. If you are using the plugin and
allowing public access to the search feature it provides, I highly
recommend you update the plugin as soon as possible.
The vulnerability is trivial to exploit as evidenced by the following
code:
params[:null].each {|field| conditions[0] <<
#{class_name}.table_name + ‘.’ + field + ’ IS NULL’ } if params[:null]
params[:notnull].each {|field| conditions[0] <<
#{class_name}.table_name + ‘.’ + field + ’ IS NOT NULL’ } if
params[:notnull]
The latest revision of the plugin, which fixes this vulnerability, is
available at:
svn: svn://suven.no-ip.org/rails/plugins/scaffolding_extensions
file: http://suven.no-ip.org/scaffolding_extensions.tar.gz
I found this bug as I was finishing up a bunch of new features for the
plugin (which are also included in the latest revision), such as:
- Pagination of the search results
- Only update attributes specified in the scaffold (no need for
attr_protected or attr_accessible) - Allow outputing the code generated by the scaffold method instead
of evaluating it (a poor man’s generator) - Allow choosing the visible name for each attribute
- Use HTML label tags in forms
- Specify different fields used for each scaffold type (i.e. some
fields can be shown but are not editable) - Add some testing code that allows for limited testing of the plugin
in your environment - Various bug fixes and minor enhancements
I apologize for the serious vulnerability this plugin exposed,
especially since the vulnerability is fairly obvious just by looking
at the code. I’ll be more diligent in the future.
Jeremy