I just wanted to let everyone know that I found a major security problem with the Scaffolding Extensions plugin that I develop. There is an SQL injection vulnerability in the search results function due to lack of sanitation of user input. If you are using the plugin and allowing public access to the search feature it provides, I highly recommend you update the plugin as soon as possible.
The vulnerability is trivial to exploit as evidenced by the following code:
params[:null].each {|field| conditions[0] << #{class_name}.table_name + '.' + field + ' IS NULL' } if params[:null] params[:notnull].each {|field| conditions[0] << #{class_name}.table_name + '.' + field + ' IS NOT NULL' } if params[:notnull]
The latest revision of the plugin, which fixes this vulnerability, is available at:
svn: svn://suven.no-ip.org/rails/plugins/scaffolding_extensions file: http://suven.no-ip.org/scaffolding_extensions.tar.gz
I found this bug as I was finishing up a bunch of new features for the plugin (which are also included in the latest revision), such as:
1) Pagination of the search results 2) Only update attributes specified in the scaffold (no need for attr_protected or attr_accessible) 3) Allow outputing the code generated by the scaffold method instead of evaluating it (a poor man's generator) 4) Allow choosing the visible name for each attribute 5) Use HTML label tags in forms 6) Specify different fields used for each scaffold type (i.e. some fields can be shown but are not editable) 7) Add some testing code that allows for limited testing of the plugin in your environment 8) Various bug fixes and minor enhancements
I apologize for the serious vulnerability this plugin exposed, especially since the vulnerability is fairly obvious just by looking at the code. I'll be more diligent in the future.
Jeremy
