TechQA.

NoSQL Injection with a simple find_by in RoR

140 views Asked by At

I am new to RoR and I have a basic question.

A colleague told me that the following code can cause a NoSQL Injection:

User.find_by(username: param[:username])

I know that I am not supposed to read directly from param but I still think that the code cannot generate any NoSQL injections. Am I wrong?

ruby-on-rails nosql-injection
Original Q&A
1

There are 1 answers

0
user229044 On BEST ANSWER

Your colleague is wrong, and should produce a working exploit if he believes this is true.

Providing a hash of key/value pairs to Rail's find_by or where methods is the intended, secure, and correct way of using those methods. The keys and values are always made safe before being used in a query.

There are certain problems that Rails will not protect you from, for example, the value of params[:username] could be a gigabyte of text, a File object, a nested hash of key/value pairs, etc. but this isn't an "injection" per se. Any special characters that could cause the meaning of the query to be changed will have no effect.

Related Questions in RUBY-ON-RAILS

Related Questions in NOSQL-INJECTION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions