Over a million developers have joined DZone.

PostgreSQL & Active Record: Two SQL Injection Vulnerabilities

· Java Zone

Microservices! They are everywhere, or at least, the term is. When should you use a microservice architecture? What factors should be considered when making that decision? Do the benefits outweigh the costs? Why is everyone so excited about them, anyway?  Brought to you in partnership with IBM.

If you're working with Active Record and PostgreSQL, you may want to be aware of a pair of SQL injection vulnerabilities publicized by Rafael Mendonça França. According to his mailing list email archived here on oss-sec, the vulnerabilities affect PostgreSQL versions above 2.0, and rely on some of the unconventional data types found in Postgres:

Only applications which query against either bitstring or range types are vulnerable. The particular data types affected depend on the version of Rails you're using, but the vulnerable code will look the same. Vulnerable code will take either take the form of:

Model.where(bitstring: params[:some_value])

Model.where(range: params[:from]..params[:to])

The specific versions affected is included below, however all users running an affected release should upgrade immediately.

According to França, workarounds are not really practical at this point, and upgrading is definitely recommending, and for those who cannot currently upgrade, patches are available, at least for users of more recent versions.

If you're using an older version, it's probably time to upgrade. Check out França's email transcript for all the details.


Discover how the Watson team is further developing SDKs in Java, Node.js, Python, iOS, and Android to access these services and make programming easy. Brought to you in partnership with IBM.

Topics:

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}