Rails OCI8 protecting from injection
-
30-05-2021 - |
문제
I am building a webform which I want to prepopulate with data from an external oracle database. We are using the rails OCI8 plug in.
I want to ensure that I am not leaving myself open to injection by using the URL parameters directly in the query.
For example in the controller:
def new
if params[:provider] && u = findByUserName(params[:provider])
monkey = {
:employeeEmail => u['EMAIL_ADDRESS'],
:employeeFirst => u['FIRST_NAME'],
:employeeLast => u['LAST_NAME'],
:userID => u['LOGIN_ID'],
:supervisorUserID => u['SUPERVISOR_ID'],
:supervisorName => u['SUPERVISOR_NAME'],
:supervisorEmail => u['SUPERVISOR_EMAIL']
}
@service = Service.new(monkey)
else
@service = Service.new
end
end
As you can see the params[:provider] is passed directly to the OCI8 query:
def findByUserName(id)
if id
cursor = cursor_exec("SELECT DISTINCT
<QUERY INFO HERE>
AND external_user = :id
ORDER BY last_name, first_name", id)
collection = cursor.fetch_hash()
cursor.close
logoff
collection
end
end
Cursor_exec function
def cursor_exec(sql, *params)
@conn = OCI8.new('user','pass','server')
if params.length > 0
cursor = @conn.exec(sql, *params)
else
cursor = @conn.exec(sql)
end
end
Will OCI8 properly sanitize the parameter through the bind or is there a method I can use to be more safe?
해결책
Since you are internally calling OCI8#exec()
, the second parameter passed to it will be bound as a parameter to the query, you needn't worry about additional escaping. It should be protected internally by the exec()
call.
exec(sql, *bindvars)
execute the sql statement. The type of return value depends on the type of sql statement: select; insert, update and delete; create, alter and drop; and PL/SQL.
When bindvars are specified, they are bound as bind variables before execution.