Attempted SQL injection against will_paginate

[Chris McCann]

One of my apps uses will_paginate and I received several exception notifications overnight that indicate someone tried a SQL injection attack against the app using the :page parameter.  How should I handle this?

The route they tried:

...events/upcoming?page=convert%28int%2Cdb_name%28%29%29%20and%201%3D1

The resulting error:

A WillPaginate::InvalidPage occurred in events#upcoming:

 "convert(int,db_name()) and 1=1" given as value, which translates to '0' as page number
  /var/www/rails/apollo_production/shared/bundle/ruby/1.8/gems/will_paginate-2.3.16/lib/will_paginate/collection.rb:27:in `validate'

Disregading than the general irritation this creates (how dare someone try to SQL inject my app!), what's the right way to detect and handle this?

Cheers,

Chris

[James Miller]

Could add something like this to ensure the page param is valid, then call this instead of passing the param directly when paginating:

def page

  p = params[:page].to_i

  p > 1 ? p : 1

end

James

--
--
SD Ruby mailing list
sdr...@googlegroups.com
http://groups.google.com/group/sdruby
---
You received this message because you are subscribed to the Google Groups "SD Ruby" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sdruby+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Chris McCann]

Thanks, Bensie, that's along the lines of what I was considering doing.

You received this message because you are subscribed to a topic in the Google Groups "SD Ruby" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sdruby/SH29OlX6620/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sdruby+un...@googlegroups.com.

[Rob Kaufman]

On the plus side, other than throwing an exception at least the injection attach is blocked

Rob

—
Sent from Mailbox

On Thu, Mar 12, 2015 at 9:23 AM, Chris McCann <testf...@gmail.com> wrote:

--

[Rob Kaufman]

Not sure if you’re using strong parameters or not, but this is an interesting approach: https://github.com/zendesk/stronger_parameters.  Anyone out there using it?

Rob

—
Sent from Mailbox

[Ben Wanicur]

That's interesting and I'd be curious to see how you ended up with SQL Injection attack.  I always thought that if you use the standard ActiveRecord / WillPaginate API for querying that it should handle SQL injections attacks.  For example:  MyModel.where(...).paginate(page: params[:page], per_page: 10)

The previous query is NOT susceptible to SQL injection attaches, yes ?  

[Rob Kaufman]

Ben - he’s saying the injection attach was not successful, but that because it generates a 500 that it causes a lot of annoying log / error report and possibly process restarts depending on your config.

Best,

Rob

—
Sent from Mailbox

[Ben Wanicur]

Right on.  In that case and if it's useful to know about these attacks, you could capture the exception (log or track IP and other info) and do something like Bensie suggests in the rescue block.

[Tom Harrison]

Thanks for posting -- we just got hit with 5000 attempts like this; a bunch of variants all trying to get something to the database.  They appear to have failed.  So there's some bot out there.  Shoo.

We're using WillPaginate 3.0.7