sql injection in rails

Question

Is it possible in rails that if sql injection vulnerability is found can anyone drop the table. I came across an article which says rails execute only single sql statements for example if i am running raw sql like this

ActiveRecord::Base.connection.execute("select * from users; drop table test_table;")

throws an exception

is this applies for all the rails activerecord helpers are there any other methods by which a table can be dropped??

Answer 1

what is this vulnerability?

The bug allows SQL injection through dynamic finder methods (eg find_by_foo(params[:foo])). I will explain dynamic finders in a bit. The bug affects all Ruby on Rails versions.

A known exploitable scenario is when all of the following applies: You're using Authlogic (a third party but popular authentication library). You must know the session secret token.

There are other exploitable scenarios, but it really depends on what your app is doing. Since it is impossible to prove that something isn't insecure, you should take the vulnerability seriously and upgrade anyway even if you think you aren't affected.

What is this vulnerability NOT?

For those who know Rails:

The bug does not affect normal finder methods (eg find(params[:id])). The bug is not exploitable through request parameters. The bug is not in Authlogic. It's in Rails. It just so happens that Authlogic triggers it. Devise (another third-party authentication library) does not trigger the bug. 'params' Case, is a totally different and unrelated issue. The issue described there is quite severe and deserves serious attention, so please keep your eye open on any new advisories.

for more see rails sql injection