All of the standard finders and dynamic attribute finders
sanitize single attribute arguments, but there is only so much that they can do.
Remember the cardinal rule: never interpolate user input into a SQL string.
Most of the Rails finders that accept SQL also accept an array, so you can turn code
like "SELECT * FROM people WHERE name = '#{search_name}'" into ["SELECT * FROM people
WHERE name = ?", search_name] nearly anywhere. (Note the lack of quoting around the
question mark; Rails interprets the type of search_name and quotes it appropriately.)
The user-provided name value will have any special SQL characters escaped, so you
don??™t have to worry about it.
For any situations where you need to do this quoting yourself, you can steal the private
sanitize_sql method from ActiveRecord::Base (just don??™t tell anyone):
class << ActiveRecord::Base
public :sanitize_sql
end
name = %(O'Reilly)
puts ActiveRecord::Base.sanitize_sql([%(WHERE name = ?), name])
# >> WHERE name = 'O''Reilly'
Ruby??™s Environment
No analysis of Rails security would be complete without examining the environment
that Ruby lives in.
Using the Shell
The Kernel.system method is useful for basic interaction with system services
through the command line. As with SQL, though, it is important to ensure that you
know exactly what is being passed, especially if it comes from an external source.
Pages:
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228