mysql-binuuid-rails
is vulnerable to SQL injection: Model.where(uuid: "ff' OR ''='")
turns into:
SELECT `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11
ActiveRecord does not explicitly escape the Binary data type (Type::Binary::Data
) for mysql. The escaping is implicit as the Binary
data type always converts it’s value to a hex string for ActiveRecord to use.
mysql-binuuid-rails
uses a data type that is derived from the base Binary
type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.
mysql-binuuid-rails
<= 1.1.0
The issue was worked on by Stan Pitucha, Geoff Evason, Emmanuel Joubaud from Envato
CVE-2018-18476 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18476