0

Am a security enthusiast and a total noob to RoR. Now there is this blog i came across regarding SQL Injections in RoR with Active Records in place.

SQLi in RoR Active Records

However the blog itself dates back to Jan 2013. Nevertheless, I tried to replicate the SQLi in a test environment with Rails 4.2 and ActiveRecord 4.2.

I tried using:

User.find_by_name("kotori", :select => "id, name")

from the blog above but I received the following error:

ArgumentError: wrong number of arguments (2 for 1)

Thought process: Since the blog is pretty old, may be it's a deprecated feature as per my test setup. Now the blog was from Jan 13, so I took the active record build from Dec 2012 from here thinking that the code snippet above will definitely work at least in this release, but the error was the same. Moreover, I also tried going through the documentation of the same here but this also does not give any insight into the code snippet in question.

Now what am I missing here? Is it that the blog mentioned above itself is non-trustworthy or is it that am really dumb :)

qre0ct
  • 5,680
  • 10
  • 50
  • 86

2 Answers2

1

find_by_name only expects one argument to it, and that's name of the object you want to find. And it will return you an ActiveRecord object on which you can call other methods.

Other thing: find_by_name only returns a single record, so you can do:

User.where(name: 'kotori').pluck(:id, :name)

Note: Since, find_by_name returns one instance, you can't call pluck on that.

Arslan Ali
  • 17,418
  • 8
  • 58
  • 76
  • The blog mentioned above says it is possible to do something of the form: User.find_by_name("kotori", :select => "id, name") Am I interpreting it wrong ? – qre0ct May 06 '16 at 08:14
1

I am pretty certain that the :select => "id, name" options were last seen in Rails 2.3, quite a few years back. Community support (and any security fixes) for 2.3 ended about 3 years ago, very nearly the same time that the referenced article was written, when Rails 4.0 was released.

The information was not only very well known at the time, but had already been removed from Rails 3.0 more than 3 year prior to the article. So, the author was using some pretty significantly outdated information to support the article. There definitely were still sites running 2.3 then, because there still are (see this SO question from yesterday). In reading the article, it was essentially factual; however, it used information that was aging quickly to make key points, but did not actually identify it as such.

On to modern times. You can still achieve the same goal, but now it requires different means. pluck will allow you to select specific columns (e.g. only the id and name fields) efficiently, like so:

User.where(name: 'kotori').pluck(:id, :name)

This will generate an optimized SQL statement, and moreover, since there are no SQL snippets passed to the query engine, no opportunity for SQL injection. Security has been a top priority of the Rails community for quite some time, and that's a good thing.

Community
  • 1
  • 1
Michael Gaskill
  • 7,913
  • 10
  • 38
  • 43