NoSQL Injection with a simple find_by in RoR

126 views Asked by At

I am new to RoR and I have a basic question.

A colleague told me that the following code can cause a NoSQL Injection:

User.find_by(username: param[:username])

I know that I am not supposed to read directly from param but I still think that the code cannot generate any NoSQL injections. Am I wrong?

1

There are 1 answers

0
user229044 On BEST ANSWER

Your colleague is wrong, and should produce a working exploit if he believes this is true.

Providing a hash of key/value pairs to Rail's find_by or where methods is the intended, secure, and correct way of using those methods. The keys and values are always made safe before being used in a query.

There are certain problems that Rails will not protect you from, for example, the value of params[:username] could be a gigabyte of text, a File object, a nested hash of key/value pairs, etc. but this isn't an "injection" per se. Any special characters that could cause the meaning of the query to be changed will have no effect.