Squeel and Rails CVE-2012-2661


If you’ve been following the news today, you know that the Rails Core team released an update to Rails to fix a vulnerability when passing certain user input into ActiveRecord via where. The fix involves changes to ActiveRecord::PredicateBuilder. Since Squeel works by bypassing the PredicateBuilder and performing lazy evaluation of the constructed query at the time of SQL generation, a similar fix was necessary for Squeel. It’s on this commit on the master branch. If you’re using Squeel, please take a look at the commit notes, try it out on your app, and let me know if anything breaks as a result.

Side note: there’s another Rails release incoming with an expansion of this fix. I’m not certain that it makes sense for me to backport the upcoming fix, since it conflicts with a key feature provided by Squeel. I’ll expand on what I mean once the vulnerability’s been officially disclosed. Thanks for testing!

comments powered by Disqus