From 04dd9752926e41b3e1d7b6a357f1f4381aaeece9 Mon Sep 17 00:00:00 2001 From: Aaron Patterson Date: Thu, 4 Aug 2016 11:15:03 -0700 Subject: [PATCH 2/2] Fix unsafe query generation risk. Redo of CVE-2012-2660, CVE-2012-2694 and CVE-2013-0155 CVE-2016-6317 --- .../dispatch/request/json_params_parsing_test.rb | 43 ++++++++++++++++++++++ .../relation/predicate_builder/array_handler.rb | 3 +- 2 files changed, 45 insertions(+), 1 deletion(-) diff --git a/actionpack/test/dispatch/request/json_params_parsing_test.rb b/actionpack/test/dispatch/request/json_params_parsing_test.rb index c609075..e8dec17 100644 --- a/actionpack/test/dispatch/request/json_params_parsing_test.rb +++ b/actionpack/test/dispatch/request/json_params_parsing_test.rb @@ -84,7 +84,50 @@ class JsonParamsParsingTest < ActionDispatch::IntegrationTest end end + test "prevent null query" do + # Make sure we have data to find + klass = Class.new(ActiveRecord::Base) do + def self.name; 'Foo'; end + establish_connection adapter: "sqlite3", database: ":memory:" + connection.create_table "foos" do |t| + t.string :title + t.timestamps null: false + end + end + klass.create + assert klass.first + + app = ActionDispatch::ParamsParser.new ->(env) { + request = ActionDispatch::Request.new env + params = ActionController::Parameters.new request.parameters + if params[:t] + klass.find_by_title(params[:t]) + else + nil + end + } + + assert_nil app.call(make_env({ 't' => nil })) + assert_nil app.call(make_env({ 't' => [nil] })) + + [[[nil]], [[[nil]]]].each do |data| + assert_deprecated do + assert_nil app.call(make_env({ 't' => data })) + end + end + end + private + def make_env json + data = JSON.dump json + content_length = data.length + { + 'CONTENT_LENGTH' => content_length, + 'CONTENT_TYPE' => 'application/json', + 'rack.input' => StringIO.new(data) + } + end + def assert_parses(expected, actual, headers = {}) with_test_routing do post "/parse", actual, headers diff --git a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb index fb08326..d4e74eb 100644 --- a/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb +++ b/activerecord/lib/active_record/relation/predicate_builder/array_handler.rb @@ -14,7 +14,8 @@ module ActiveRecord it for 'IN' conditions. MSG - values = values.flatten + flat_values = values.flatten + values = flat_values unless flat_values.include?(nil) end return attribute.in([]) if values.empty? && nils.empty? -- 2.8.1