I am new to RoR and I have a basic question.
A colleague told me that the following code can cause a NoSQL Injection:
User.find_by(username: param[:username])
I know that I am not supposed to read directly from param but I still think that the code cannot generate any NoSQL injections. Am I wrong?
Your colleague is wrong, and should produce a working exploit if he believes this is true.
Providing a hash of key/value pairs to Rail's
find_by
orwhere
methods is the intended, secure, and correct way of using those methods. The keys and values are always made safe before being used in a query.There are certain problems that Rails will not protect you from, for example, the value of
params[:username]
could be a gigabyte of text, aFile
object, a nested hash of key/value pairs, etc. but this isn't an "injection" per se. Any special characters that could cause the meaning of the query to be changed will have no effect.