Hi Andy
I was reading US-CERT and came across this report
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6496We are using ruby 3.2.6 (according to the current manifest file), and this is an affected version.
Overview for those who do not want to read the report
SQL injection vulnerability in the Active Record component
in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before
3.2.10 allows remote attackers to execute arbitrary SQL commands via a
crafted request that leverages incorrect behaviour of dynamic finders in
applications that can use unexpected data types in certain find_by_
method calls
I do not know if we use the affected system call in the code, but I thought I should bring it to your attention.
Regards
Cyclooctane