Ruby on Rails SQL injection
Description
A SQL injection vulnerability exists in all versions of Ruby on Rails Active Record due to improper handling of nested query parameters. When application code directly passes user-controlled request parameters to the where method without proper sanitization, attackers can craft malicious requests containing specially formatted hash values that manipulate the generated SQL WHERE clause. This allows unauthorized querying of arbitrary database tables and columns. The vulnerability is identified as CVE-2012-2695 and represents a variant of the previously disclosed CVE-2012-2661.
Remediation
Immediately upgrade to a patched version of Ruby on Rails that addresses CVE-2012-2695. If immediate upgrading is not possible, implement input validation by explicitly casting all user-supplied parameters to their expected data types before passing them to Active Record query methods.
For example, replace vulnerable code that directly passes params:
Post.where(:id => params[:id]).all
with sanitized code that casts the parameter to a string:
Post.where(:id => params[:id].to_s).all
For numeric IDs, use
.to_i instead of .to_s. Apply this pattern consistently across all Active Record queries that accept user input. Additionally, review your codebase for all instances where request parameters are passed directly to where, find, find_by, or similar query methods, and apply appropriate type casting or use parameterized queries.