mercredi 23 mai 2018

how to prevent SQL injection in ruby on rails with post request

I am getting a security error in my ROR code that SQL injection may be possible in one post request when I run The OWASP Zed Attack Proxy (ZAP) tool on my code. I have a get_auth_token method which does not take any parameters , ZAP tool adds a query parameter in this request and on executing the modifier request the page loads fine which is an issue

Below is the modified url with added query param

https://example.com/api/sessions/get_auth_token?query=query+AND+1%3D1+--+

get_auth_token implementation looks like this

def get_auth_token
  user = User.find_by(id: session[:user_id], disabled: false) 
 if session[:user_id]
  if user
  token = AuthToken.issue(user_id:user.username)
  session[:user_id] = user.id
  session[:username] = user.username
  session[:project_id] = user.get_setting('xyz', nil)
  User.update(user.id, :token=>token)

I do not want to convert this request to GET. I have gone through many examples for SQL injection prevention , they all focus on methods which accept some param. My method does not accept any param. How can I make sure that it does not accept any external param to prevent this SQL injection

Aucun commentaire:

Enregistrer un commentaire