Forum: Ruby on Rails acts_as_taggable vulnerable to attacks ?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
3dd4b52a0946bd698b1d1635a46ea3a3?d=identicon&s=25 Francois Beausoleil (Guest)
on 2006-02-28 08:40
(Received via mailing list)
Hi all !

I'd like to confirm if I'm reading correctly.

It seems ActiveRecord::Acts::Taggable::SingletonMethods#find_tagged_with
is vulnerable to SQL injection attacks:

def find_tagged_with(options = {})
  options = { :separator => ' ' }.merge(options)

  tag_names = ActiveRecord::Acts::Taggable.split_tag_names(options[:any]
|| options[:all], options[:separator])
  raise "No tags were passed to :any or :all options" if
tag_names.empty?

  o, o_pk, o_fk, t, t_pk, t_fk, jt = set_locals_for_sql
  sql = "SELECT #{o}.* FROM #{jt}, #{o}, #{t} WHERE #{jt}.#{t_fk} =
#{t}.#{t_pk}
        AND (#{t}.name = '#{tag_names.join("' OR #{t}.name='")}')
        AND #{o}.#{o_pk} = #{jt}.#{o_fk}"
  ...
end

Notice tag_names is directly interpolated into the generated SQL ?

First of all, am I seeing things correctly ?  If so, we should simply
be calling #quote here, right ?

Bye !
This topic is locked and can not be replied to.