Skip to content

Instantly share code, notes, and snippets.

💭
In my restless dreams, I see that town.

Sergio Tapia sergiotapia

💭
In my restless dreams, I see that town.
Block or report user

Report or block sergiotapia

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:89c2b90251c4d489a162

This advisory concerns a security risk in all supported versions of Active Record. There is no patch to apply for this issue.

Due to the query API that Active Record supports, there is a risk of unsafe query generation in two scenarios. Databases with a table that contains a column with the same name as the table and queries with join aliases which conflict with column names could be vulnerable to an attack where the attacker can perform certain manipulations to the SQL queries generated by Rails.

Determining Vulnerability

A vulnerable application will either contain columns named identically to their table, or have column names which conflict with join aliases.

For example, if you had a model called SecurityToken, which contained an attribute called security_tokens then the following code could be manipulated to return additional records:

View gist:41a7c365afff877161ee
[
{
"Created_Datetime":"7\/26\/2012 8:21:03 PM",
"Id":312304,
"Last_Login_Datetime":"7\/10\/2014 11:48:52 PM",
"LeagueConquest":{
"Leaves":2,
"Losses":151,
"Name":"Conquest",
"Points":81,
View gist:252ad8e746d3905d1075
[
{
"Created_Datetime":"2\/16\/2013 2:57:59 AM",
"Id":1067196,
"Last_Login_Datetime":"7\/10\/2014 2:36:08 AM",
"LeagueConquest":{
"Leaves":0,
"Losses":0,
"Name":"Conquest",
"Points":0,
View gist:3144104
This is some text.
And *another* text.
public class Foo
{
public string Person { get; set; }
}
Toodles!
View gist:4751958
Pentastream::Application.routes.draw do
get "streams/index"
get "streams/updateall"
root :to => 'streams#index'
end
View gist:5147501
Host Name IP Address/URL Record Type
@ http://www.YOUR-DOMAIN.com URL Redirect
www heroku-app-name.herokuapp.com CNAME (alias)
@sergiotapia
sergiotapia / gist:5216735
Created Mar 21, 2013
Documentacion: Plugin - "Dialogue"
View gist:5216735
Nombre de Plugin: **dialogue**
URL: [https://moodle.org/plugins/view.php?plugin=mod_dialogue](https://moodle.org/plugins/view.php?plugin=mod_dialogue)
Documentacion de Plugin Oficial: [http://docs.moodle.org/dev/Dialogue_2.0_specificatino](http://docs.moodle.org/dev/Dialogue_2.0_specificatino)
===========================================================================================
#Base de Datos
View gist:5216740
View gist:5360855
int cantidadTotalDePanes = 20;
int panesPorCliente = 3;
while (cantidadTotalDePanes > 0) {
if (cantidadTotalDePanes > panesPorCliente) {
Console.WriteLine("Entrego a cliente " + panesPorCliente + " panes.");
cantidadTotalDePanes -= panesPorCliente;
} else {
// Ya no tiene suficientes panes.
}
You can’t perform that action at this time.