patch active_record for CVE-2012-2695

See http://seclists.org/oss-sec/2012/q2/504 test plan: Should be covered by unit tests. Change-Id: I96b32f6e1056e26c9ca343b317492bcb5504a45a Reviewed-on: https://gerrit.instructure.com/11568 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Jon Jensen <jon@instructure.com> Reviewed-by: Brian Palmer <brianp@instructure.com>
2012-06-13 07:47:50 -06:00 · 2012-06-13 07:47:50 -06:00 · 735b18ac74
parent 9e396136cd
commit 735b18ac74
2 changed files with 57 additions and 0 deletions
--- a/config/initializers/rails_patches.rb
+++ b/config/initializers/rails_patches.rb
@ -160,3 +160,38 @@ else
    end
  end
 end
+
+if Rails::VERSION::MAJOR == 2
+  # So far a new version of rails 2.3 has not been released to patch this.
+  # Hopefully the next minor version (if there is one) will incorporate it
+  # and we can add another && Rails::VERSION::MINOR < condition to above
+  class ActiveRecord::Base
+    def self.sanitize_sql_hash_for_conditions(attrs, default_table_name = quoted_table_name, top_level = true)
+      attrs = expand_hash_conditions_for_aggregates(attrs)
+
+      conditions = attrs.map do |attr, value|
+        table_name = default_table_name
+
+        if not value.is_a?(Hash)
+          attr = attr.to_s
+
+          # Extract table name from qualified attribute names.
+          if attr.include?('.') and top_level
+            attr_table_name, attr = attr.split('.', 2)
+            attr_table_name = connection.quote_table_name(attr_table_name)
+          else
+            attr_table_name = table_name
+          end
+
+          attribute_condition("#{attr_table_name}.#{connection.quote_column_name(attr)}", value)
+        elsif top_level
+          sanitize_sql_hash_for_conditions(value, connection.quote_table_name(attr.to_s), false)
+        else
+          raise ActiveRecord::StatementInvalid
+        end
+      end.join(' AND ')
+
+      replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
+    end
+  end
+end
--- a/spec/models/active_record_base_spec.rb
+++ b/spec/models/active_record_base_spec.rb
@ -349,4 +349,26 @@ describe ActiveRecord::Base do
      a.should == 1
    end
  end
+
+  context "Finder tests" do
+    before(:each) do
+      @user = user_model
+    end
+
+    it "should fail with improper nested hashes" do
+      lambda {
+        User.find(:first, :conditions => { :name => { :users => { :id => @user.id }}})
+      }.should raise_error(ActiveRecord::StatementInvalid)
+    end
+
+    it "should fail with dot in nested column name" do
+      lambda {
+        User.find(:first, :conditions => { :name => { "users.id" => @user.id }})
+      }.should raise_error(ActiveRecord::StatementInvalid)
+    end
+
+    it "should not fail with a dot in column name only" do
+      User.find(:first, :conditions => { 'users.id' => @user.id }).should_not be_nil
+    end
+  end
 end