Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use strong parameters pattern for Community sort user input #3650

Open
pgwillia opened this issue Nov 27, 2024 · 1 comment
Open

Use strong parameters pattern for Community sort user input #3650

pgwillia opened this issue Nov 27, 2024 · 1 comment

Comments

@pgwillia
Copy link
Member

pgwillia commented Nov 27, 2024
edited
Loading

Jupiter relies on the lower layers (e.g., active record, Solr) to validate http request parameters. For example, in this case sort is passed with the stringified SQL injection attempt. This could be handled at a higher code level (maybe model or controller) where the set of possible sortable fields is known and the string thrown out before reaching ActiveRecord.

https://guides.rubyonrails.org/v7.1/action_controller_overview.html#strong-parameters

View details in Rollbar: https://app.rollbar.com/a/ualbertalib/fix/item/jupiter/2022


ActiveRecord::UnknownAttributeReference: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "(/**//**/sElEcT 1 /**//**/fRoM(/**//**/sElEcT count(*),/**//**/cOnCaT((/**//**/sElEcT (/**//**/sElEcT /**//**/uNhEx(/**//**/hEx(/**//**/cOnCaT(0x7e,0x413936313543373834333044,0x7e)))) /**//**/fRoM information_schema./**//**/tAbLeS /**//**/lImIt 0,1),floor(rand(0)*2))x /**//**/fRoM information_schema./**//**/tAbLeS group by x)a)".This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql().
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/sanitization.rb", line 184, in disallow_raw_sql!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 1875, in preprocess_order_args
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 604, in order!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/relation/query_methods.rb", line 599, in order
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/querying.rb", line 23, in order
  File "/var/www/sites/jupiter/app/controllers/communities_controller.rb", line 7, in block (2 levels) in index
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/mime_responds.rb", line 214, in respond_to
  File "/var/www/sites/jupiter/app/controllers/communities_controller.rb", line 5, in index
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/basic_implicit_render.rb", line 6, in send_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/base.rb", line 224, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/rendering.rb", line 165, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/callbacks.rb", line 259, in block in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 121, in block in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actiontext-7.1.3.4/lib/action_text/rendering.rb", line 23, in with_renderer
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actiontext-7.1.3.4/lib/action_text/engine.rb", line 69, in block (4 levels) in <class:Engine>
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 130, in instance_exec
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 130, in block in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/callbacks.rb", line 141, in run_callbacks
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/callbacks.rb", line 258, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/rescue.rb", line 25, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/instrumentation.rb", line 74, in block in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications.rb", line 206, in block in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications/instrumenter.rb", line 58, in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activesupport-7.1.3.4/lib/active_support/notifications.rb", line 206, in instrument
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/instrumentation.rb", line 73, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal/params_wrapper.rb", line 261, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/activerecord-7.1.3.4/lib/active_record/railties/controller_runtime.rb", line 32, in process_action
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/abstract_controller/base.rb", line 160, in process
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionview-7.1.3.4/lib/action_view/rendering.rb", line 40, in process
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal.rb", line 227, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_controller/metal.rb", line 309, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 49, in dispatch
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 32, in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 51, in block in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 131, in block in find_routes
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 124, in each
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 124, in find_routes
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/journey/router.rb", line 32, in serve
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/actionpack-7.1.3.4/lib/action_dispatch/routing/route_set.rb", line 882, in call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/flipper-1.3.0/lib/flipper/middleware/memoizer.rb", line 87, in memoized_call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/flipper-1.3.0/lib/flipper/middleware/memoizer.rb", line 45, in call
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/omniauth-2.1.2/lib/omniauth/strategy.rb", line 470, in call_app!
  File "/var/www/sites/jupiter/vendor/bundle/ruby/3.1.0/gems/omniauth-saml-2.1.0/lib/omniauth/strategies/saml.rb", line 86, in other_phase
  F
@pgwillia pgwillia changed the title ActiveRecord::UnknownAttributeReference: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "record_created_at'".This method should not be called with user-provided values, such as request parameters Use strong parameters pattern for Community sort user input Dec 10, 2024
@pgwillia
Copy link
Member Author

https://docs.google.com/presentation/d/1CTn2kwHuAqq1ImCziQYeyJj1H4p0UfWPxsEt0mArrUU/edit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pgwillia