sequel 5.80.0 → 5.92.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (205) hide show
  1. checksums.yaml +4 -4
  2. data/bin/sequel +9 -4
  3. data/lib/sequel/adapters/ado.rb +1 -1
  4. data/lib/sequel/adapters/ibmdb.rb +1 -0
  5. data/lib/sequel/adapters/jdbc/db2.rb +2 -2
  6. data/lib/sequel/adapters/jdbc/derby.rb +3 -3
  7. data/lib/sequel/adapters/jdbc/h2.rb +2 -2
  8. data/lib/sequel/adapters/jdbc/hsqldb.rb +2 -2
  9. data/lib/sequel/adapters/jdbc/jtds.rb +2 -2
  10. data/lib/sequel/adapters/jdbc/mysql.rb +1 -1
  11. data/lib/sequel/adapters/jdbc/oracle.rb +5 -5
  12. data/lib/sequel/adapters/jdbc/postgresql.rb +5 -5
  13. data/lib/sequel/adapters/jdbc/sqlanywhere.rb +6 -6
  14. data/lib/sequel/adapters/jdbc/sqlite.rb +2 -2
  15. data/lib/sequel/adapters/jdbc/sqlserver.rb +2 -2
  16. data/lib/sequel/adapters/jdbc.rb +8 -8
  17. data/lib/sequel/adapters/mysql2.rb +8 -1
  18. data/lib/sequel/adapters/shared/access.rb +1 -0
  19. data/lib/sequel/adapters/shared/db2.rb +1 -1
  20. data/lib/sequel/adapters/shared/mssql.rb +18 -5
  21. data/lib/sequel/adapters/shared/mysql.rb +8 -4
  22. data/lib/sequel/adapters/shared/oracle.rb +1 -0
  23. data/lib/sequel/adapters/shared/postgres.rb +106 -13
  24. data/lib/sequel/adapters/shared/sqlite.rb +4 -2
  25. data/lib/sequel/adapters/sqlite.rb +4 -0
  26. data/lib/sequel/adapters/trilogy.rb +1 -2
  27. data/lib/sequel/connection_pool/sharded_threaded.rb +26 -10
  28. data/lib/sequel/connection_pool/threaded.rb +26 -10
  29. data/lib/sequel/connection_pool.rb +2 -2
  30. data/lib/sequel/core.rb +15 -0
  31. data/lib/sequel/database/connecting.rb +20 -26
  32. data/lib/sequel/database/dataset_defaults.rb +3 -3
  33. data/lib/sequel/database/misc.rb +46 -10
  34. data/lib/sequel/database/query.rb +11 -11
  35. data/lib/sequel/database/schema_generator.rb +8 -0
  36. data/lib/sequel/database/schema_methods.rb +17 -1
  37. data/lib/sequel/dataset/actions.rb +9 -1
  38. data/lib/sequel/dataset/deprecated_singleton_class_methods.rb +1 -1
  39. data/lib/sequel/dataset/prepared_statements.rb +2 -1
  40. data/lib/sequel/dataset/query.rb +9 -5
  41. data/lib/sequel/dataset/sql.rb +25 -5
  42. data/lib/sequel/extensions/caller_logging.rb +2 -0
  43. data/lib/sequel/extensions/connection_validator.rb +15 -10
  44. data/lib/sequel/extensions/dataset_run.rb +41 -0
  45. data/lib/sequel/extensions/migration.rb +23 -3
  46. data/lib/sequel/extensions/null_dataset.rb +2 -2
  47. data/lib/sequel/extensions/pg_auto_parameterize.rb +1 -1
  48. data/lib/sequel/extensions/pg_auto_parameterize_in_array.rb +93 -10
  49. data/lib/sequel/extensions/pg_enum.rb +3 -3
  50. data/lib/sequel/extensions/pg_json_ops.rb +642 -9
  51. data/lib/sequel/extensions/pg_row.rb +3 -1
  52. data/lib/sequel/extensions/pg_schema_caching.rb +90 -0
  53. data/lib/sequel/extensions/provenance.rb +2 -0
  54. data/lib/sequel/extensions/query_blocker.rb +172 -0
  55. data/lib/sequel/extensions/schema_caching.rb +24 -9
  56. data/lib/sequel/extensions/schema_dumper.rb +16 -4
  57. data/lib/sequel/extensions/sqlite_json_ops.rb +1 -1
  58. data/lib/sequel/extensions/stdio_logger.rb +48 -0
  59. data/lib/sequel/extensions/string_agg.rb +17 -4
  60. data/lib/sequel/extensions/temporarily_release_connection.rb +178 -0
  61. data/lib/sequel/extensions/virtual_row_method_block.rb +1 -0
  62. data/lib/sequel/model/associations.rb +28 -3
  63. data/lib/sequel/model/base.rb +67 -18
  64. data/lib/sequel/plugins/association_pks.rb +1 -1
  65. data/lib/sequel/plugins/column_encryption.rb +1 -1
  66. data/lib/sequel/plugins/composition.rb +1 -1
  67. data/lib/sequel/plugins/defaults_setter.rb +16 -4
  68. data/lib/sequel/plugins/enum.rb +1 -1
  69. data/lib/sequel/plugins/forbid_lazy_load.rb +14 -1
  70. data/lib/sequel/plugins/input_transformer.rb +1 -1
  71. data/lib/sequel/plugins/inspect_pk.rb +44 -0
  72. data/lib/sequel/plugins/instance_filters.rb +4 -1
  73. data/lib/sequel/plugins/inverted_subsets.rb +1 -0
  74. data/lib/sequel/plugins/lazy_attributes.rb +1 -1
  75. data/lib/sequel/plugins/nested_attributes.rb +10 -5
  76. data/lib/sequel/plugins/optimistic_locking.rb +2 -0
  77. data/lib/sequel/plugins/paged_operations.rb +5 -2
  78. data/lib/sequel/plugins/pg_auto_constraint_validations.rb +6 -1
  79. data/lib/sequel/plugins/pg_auto_validate_enums.rb +88 -0
  80. data/lib/sequel/plugins/pg_eager_any_typed_array.rb +95 -0
  81. data/lib/sequel/plugins/rcte_tree.rb +1 -1
  82. data/lib/sequel/plugins/serialization.rb +11 -5
  83. data/lib/sequel/plugins/sql_comments.rb +7 -2
  84. data/lib/sequel/plugins/static_cache_cache.rb +50 -13
  85. data/lib/sequel/plugins/subset_conditions.rb +85 -5
  86. data/lib/sequel/plugins/subset_static_cache.rb +263 -0
  87. data/lib/sequel/plugins/tactical_eager_loading.rb +6 -2
  88. data/lib/sequel/plugins/validate_associated.rb +1 -1
  89. data/lib/sequel/sql.rb +16 -6
  90. data/lib/sequel/version.rb +1 -1
  91. metadata +12 -234
  92. data/CHANGELOG +0 -1355
  93. data/README.rdoc +0 -936
  94. data/doc/advanced_associations.rdoc +0 -884
  95. data/doc/association_basics.rdoc +0 -1859
  96. data/doc/bin_sequel.rdoc +0 -146
  97. data/doc/cheat_sheet.rdoc +0 -255
  98. data/doc/code_order.rdoc +0 -102
  99. data/doc/core_extensions.rdoc +0 -405
  100. data/doc/dataset_basics.rdoc +0 -96
  101. data/doc/dataset_filtering.rdoc +0 -222
  102. data/doc/extensions.rdoc +0 -77
  103. data/doc/fork_safety.rdoc +0 -84
  104. data/doc/mass_assignment.rdoc +0 -98
  105. data/doc/migration.rdoc +0 -660
  106. data/doc/model_dataset_method_design.rdoc +0 -129
  107. data/doc/model_hooks.rdoc +0 -254
  108. data/doc/model_plugins.rdoc +0 -270
  109. data/doc/mssql_stored_procedures.rdoc +0 -43
  110. data/doc/object_model.rdoc +0 -563
  111. data/doc/opening_databases.rdoc +0 -436
  112. data/doc/postgresql.rdoc +0 -611
  113. data/doc/prepared_statements.rdoc +0 -144
  114. data/doc/querying.rdoc +0 -1070
  115. data/doc/reflection.rdoc +0 -120
  116. data/doc/release_notes/5.0.0.txt +0 -159
  117. data/doc/release_notes/5.1.0.txt +0 -31
  118. data/doc/release_notes/5.10.0.txt +0 -84
  119. data/doc/release_notes/5.11.0.txt +0 -83
  120. data/doc/release_notes/5.12.0.txt +0 -141
  121. data/doc/release_notes/5.13.0.txt +0 -27
  122. data/doc/release_notes/5.14.0.txt +0 -63
  123. data/doc/release_notes/5.15.0.txt +0 -39
  124. data/doc/release_notes/5.16.0.txt +0 -110
  125. data/doc/release_notes/5.17.0.txt +0 -31
  126. data/doc/release_notes/5.18.0.txt +0 -69
  127. data/doc/release_notes/5.19.0.txt +0 -28
  128. data/doc/release_notes/5.2.0.txt +0 -33
  129. data/doc/release_notes/5.20.0.txt +0 -89
  130. data/doc/release_notes/5.21.0.txt +0 -87
  131. data/doc/release_notes/5.22.0.txt +0 -48
  132. data/doc/release_notes/5.23.0.txt +0 -56
  133. data/doc/release_notes/5.24.0.txt +0 -56
  134. data/doc/release_notes/5.25.0.txt +0 -32
  135. data/doc/release_notes/5.26.0.txt +0 -35
  136. data/doc/release_notes/5.27.0.txt +0 -21
  137. data/doc/release_notes/5.28.0.txt +0 -16
  138. data/doc/release_notes/5.29.0.txt +0 -22
  139. data/doc/release_notes/5.3.0.txt +0 -121
  140. data/doc/release_notes/5.30.0.txt +0 -20
  141. data/doc/release_notes/5.31.0.txt +0 -148
  142. data/doc/release_notes/5.32.0.txt +0 -46
  143. data/doc/release_notes/5.33.0.txt +0 -24
  144. data/doc/release_notes/5.34.0.txt +0 -40
  145. data/doc/release_notes/5.35.0.txt +0 -56
  146. data/doc/release_notes/5.36.0.txt +0 -60
  147. data/doc/release_notes/5.37.0.txt +0 -30
  148. data/doc/release_notes/5.38.0.txt +0 -28
  149. data/doc/release_notes/5.39.0.txt +0 -19
  150. data/doc/release_notes/5.4.0.txt +0 -80
  151. data/doc/release_notes/5.40.0.txt +0 -40
  152. data/doc/release_notes/5.41.0.txt +0 -25
  153. data/doc/release_notes/5.42.0.txt +0 -136
  154. data/doc/release_notes/5.43.0.txt +0 -98
  155. data/doc/release_notes/5.44.0.txt +0 -32
  156. data/doc/release_notes/5.45.0.txt +0 -34
  157. data/doc/release_notes/5.46.0.txt +0 -87
  158. data/doc/release_notes/5.47.0.txt +0 -59
  159. data/doc/release_notes/5.48.0.txt +0 -14
  160. data/doc/release_notes/5.49.0.txt +0 -59
  161. data/doc/release_notes/5.5.0.txt +0 -61
  162. data/doc/release_notes/5.50.0.txt +0 -78
  163. data/doc/release_notes/5.51.0.txt +0 -47
  164. data/doc/release_notes/5.52.0.txt +0 -87
  165. data/doc/release_notes/5.53.0.txt +0 -23
  166. data/doc/release_notes/5.54.0.txt +0 -27
  167. data/doc/release_notes/5.55.0.txt +0 -21
  168. data/doc/release_notes/5.56.0.txt +0 -51
  169. data/doc/release_notes/5.57.0.txt +0 -23
  170. data/doc/release_notes/5.58.0.txt +0 -31
  171. data/doc/release_notes/5.59.0.txt +0 -73
  172. data/doc/release_notes/5.6.0.txt +0 -31
  173. data/doc/release_notes/5.60.0.txt +0 -22
  174. data/doc/release_notes/5.61.0.txt +0 -43
  175. data/doc/release_notes/5.62.0.txt +0 -132
  176. data/doc/release_notes/5.63.0.txt +0 -33
  177. data/doc/release_notes/5.64.0.txt +0 -50
  178. data/doc/release_notes/5.65.0.txt +0 -21
  179. data/doc/release_notes/5.66.0.txt +0 -24
  180. data/doc/release_notes/5.67.0.txt +0 -32
  181. data/doc/release_notes/5.68.0.txt +0 -61
  182. data/doc/release_notes/5.69.0.txt +0 -26
  183. data/doc/release_notes/5.7.0.txt +0 -108
  184. data/doc/release_notes/5.70.0.txt +0 -35
  185. data/doc/release_notes/5.71.0.txt +0 -21
  186. data/doc/release_notes/5.72.0.txt +0 -33
  187. data/doc/release_notes/5.73.0.txt +0 -66
  188. data/doc/release_notes/5.74.0.txt +0 -45
  189. data/doc/release_notes/5.75.0.txt +0 -35
  190. data/doc/release_notes/5.76.0.txt +0 -86
  191. data/doc/release_notes/5.77.0.txt +0 -63
  192. data/doc/release_notes/5.78.0.txt +0 -67
  193. data/doc/release_notes/5.79.0.txt +0 -28
  194. data/doc/release_notes/5.8.0.txt +0 -170
  195. data/doc/release_notes/5.80.0.txt +0 -40
  196. data/doc/release_notes/5.9.0.txt +0 -99
  197. data/doc/schema_modification.rdoc +0 -679
  198. data/doc/security.rdoc +0 -443
  199. data/doc/sharding.rdoc +0 -286
  200. data/doc/sql.rdoc +0 -648
  201. data/doc/testing.rdoc +0 -190
  202. data/doc/thread_safety.rdoc +0 -15
  203. data/doc/transactions.rdoc +0 -250
  204. data/doc/validations.rdoc +0 -558
  205. data/doc/virtual_rows.rdoc +0 -265
data/doc/security.rdoc DELETED
@@ -1,443 +0,0 @@
1
- = Security Considerations with Sequel
2
-
3
- When using Sequel, there are some security areas you should be aware of:
4
-
5
- * Code Execution
6
- * SQL Injection
7
- * Denial of Service
8
- * Mass Assignment
9
- * General Parameter Handling
10
-
11
- == Code Execution
12
-
13
- The most serious security vulnerability you can have in any library is
14
- a code execution vulnerability. Sequel should not be vulnerable to this,
15
- as it never calls eval on a string that is derived from user input.
16
- However, some Sequel methods used for creating methods via metaprogramming
17
- could conceivably be abused to do so:
18
-
19
- * Sequel::Dataset.def_sql_method
20
- * Sequel::JDBC.load_driver
21
- * Sequel::Plugins.def_dataset_methods
22
- * Sequel::Dataset.prepared_statements_module (private)
23
- * Sequel::SQL::Expression.to_s_method (private)
24
-
25
- As long as you don't call those with user input, you should not be
26
- vulnerable to code execution.
27
-
28
- == SQL Injection
29
-
30
- The primary security concern in SQL database libraries is SQL injection.
31
- Because Sequel promotes using ruby objects for SQL concepts instead
32
- of raw SQL, it is less likely to be vulnerable to SQL injection.
33
- However, because Sequel still makes it easy to use raw SQL, misuse of the
34
- library can result in SQL injection in your application.
35
-
36
- There are basically two kinds of possible SQL injections in Sequel:
37
-
38
- * SQL code injections
39
- * SQL identifier injections
40
-
41
- === SQL Code Injections
42
-
43
- ==== Full SQL Strings
44
-
45
- Some Sequel methods are designed to execute raw SQL strings, including:
46
-
47
- * Sequel::Database#execute
48
- * Sequel::Database#execute_ddl
49
- * Sequel::Database#execute_dui
50
- * Sequel::Database#execute_insert
51
- * Sequel::Database#run
52
- * Sequel::Database#<<
53
- * Sequel::Dataset#fetch_rows
54
- * Sequel::Dataset#with_sql_all
55
- * Sequel::Dataset#with_sql_delete
56
- * Sequel::Dataset#with_sql_each
57
- * Sequel::Dataset#with_sql_first
58
- * Sequel::Dataset#with_sql_insert
59
- * Sequel::Dataset#with_sql_single_value
60
- * Sequel::Dataset#with_sql_update
61
-
62
- Here are some examples of use:
63
-
64
- DB.execute 'SQL'
65
- DB.execute_ddl 'SQL'
66
- DB.execute_dui 'SQL'
67
- DB.execute_insert 'SQL'
68
- DB.run 'SQL'
69
- DB << 'SQL'
70
- DB.fetch_rows('SQL'){|row| }
71
- DB.dataset.with_sql_all('SQL')
72
- DB.dataset.with_sql_delete('SQL')
73
- DB.dataset.with_sql_each('SQL'){|row| }
74
- DB.dataset.with_sql_first('SQL')
75
- DB.dataset.with_sql_insert('SQL')
76
- DB.dataset.with_sql_single_value('SQL')
77
- DB.dataset.with_sql_update('SQL')
78
-
79
- If you pass a string to these methods that is derived from user input, you open
80
- yourself up to SQL injection. These methods are not designed to work at all
81
- with user input. If you must call them with user input, you should escape the
82
- user input manually via Sequel::Database#literal. Example:
83
-
84
- DB.run "SOME SQL #{DB.literal(params[:user].to_s)}"
85
-
86
- ==== Full SQL Strings, With Possible Placeholders
87
-
88
- Other Sequel methods are designed to support execution of raw SQL strings that may contain placeholders:
89
-
90
- * Sequel::Database#[]
91
- * Sequel::Database#fetch
92
- * Sequel::Dataset#with_sql
93
-
94
- Here are some examples of use:
95
-
96
- DB['SQL'].all
97
- DB.fetch('SQL').all
98
- DB.dataset.with_sql('SQL').all
99
-
100
- With these methods you should use placeholders, in which case Sequel automatically escapes the input:
101
-
102
- DB['SELECT * FROM foo WHERE bar = ?', params[:user].to_s]
103
-
104
- ==== Manually Created Literal Strings
105
-
106
- Sequel generally treats ruby strings as SQL strings (escaping them correctly), and
107
- not as raw SQL. However, you can convert a ruby string to a literal string, and
108
- Sequel will then treat it as raw SQL. This is typically done through
109
- Sequel.lit[rdoc-ref:Sequel::SQL::Builders#lit].
110
-
111
- Sequel.lit('a')
112
-
113
- Using Sequel.lit[rdoc-ref:Sequel::SQL::Builders#lit] to turn a ruby string into a literal string results
114
- in SQL injection if the string is derived from user input. With both of these
115
- methods, the strings can contain placeholders, which you can use to safely include
116
- user input inside a literal string:
117
-
118
- Sequel.lit('a = ?', params[:user_id].to_s)
119
-
120
- Even though they have similar names, note that Sequel::Database#literal operates very differently from
121
- String#lit or Sequel.lit[rdoc-ref:Sequel::SQL::Builders#lit].
122
- Sequel::Database#literal is for taking any supported object,
123
- and getting an SQL representation of that object, while
124
- String#lit or Sequel.lit[rdoc-ref:Sequel::SQL::Builders#lit] are for treating
125
- a ruby string as raw SQL. For example:
126
-
127
- DB.literal(Date.today) # "'2013-03-22'"
128
- DB.literal('a') # "'a'"
129
- DB.literal(Sequel.lit('a')) # "a"
130
- DB.literal(a: 'a') # "(\"a\" = 'a')"
131
- DB.literal(a: Sequel.lit('a')) # "(\"a\" = a)"
132
-
133
- ==== SQL Filter Fragments
134
-
135
- Starting in Sequel 5, Sequel does not automatically convert plain strings to
136
- literal strings in typical code. Instead, you can use Sequel.lit to
137
- create literal strings:
138
-
139
- Sequel.lit("name > 'A'")
140
-
141
- To safely include user input as part of an SQL filter fragment, use Sequel.lit
142
- with placeholders:
143
-
144
- DB[:table].where(Sequel.lit("name > ?", params[:id].to_s)) # Safe
145
-
146
- Be careful to never call Sequel.lit where the first argument is derived from
147
- user input.
148
-
149
- There are a few uncommon cases where Sequel will still convert
150
- plain strings to literal strings.
151
-
152
- ==== SQL Fragment passed to Dataset#lock_style and Model#lock!
153
-
154
- The Sequel::Dataset#lock_style and Sequel::Model#lock! methods also treat
155
- an input string as SQL code. These methods should not be called with user input.
156
-
157
- DB[:table].lock_style(params[:id]) # SQL injection!
158
- Album.first.lock!(params[:id]) # SQL injection!
159
-
160
- ==== SQL Type Names
161
-
162
- In general, most places where Sequel needs to use an SQL type that should
163
- be specified by the user, it allows you to use a ruby string, and that
164
- string is used verbatim as the SQL type. You should not use user input
165
- for type strings.
166
-
167
- DB[:table].select(Sequel.cast(:a, params[:id])) # SQL injection!
168
-
169
- ==== SQL Function Names
170
-
171
- In most cases, Sequel does not quote SQL function names. You should not use
172
- user input for function names.
173
-
174
- DB[:table].select(Sequel.function(params[:id])) # SQL injection!
175
-
176
- ==== SQL Window Frames
177
-
178
- For backwards compatibility, Sequel supports regular strings in the
179
- window function :frame option, which will be treated as a literal string:
180
-
181
- DB[:table].select{fun(arg).over(frame: 'SQL Here')}
182
-
183
- You should make sure the frame argument is not derived from user input,
184
- or switch to using a hash as the :frame option value.
185
-
186
- ==== auto_literal_strings extension
187
-
188
- If the auto_literal_strings extension is used for backwards compatibility,
189
- then Sequel will treat plain strings as literal strings if they are used
190
- as the first argument to a filtering method. This can lead to SQL
191
- injection:
192
-
193
- DB[:table].where("name > #{params[:id].to_s}")
194
- # SQL injection when using auto_literal_strings extension
195
-
196
- If you are using the auto_literal_strings extension, you need to be very careful,
197
- as the following methods will treat a plain string given as the first argument
198
- as a literal string:
199
-
200
- * Sequel::Dataset#where
201
- * Sequel::Dataset#having
202
- * Sequel::Dataset#filter
203
- * Sequel::Dataset#exclude
204
- * Sequel::Dataset#exclude_having
205
- * Sequel::Dataset#or
206
- * Sequel::Dataset#first
207
- * Sequel::Dataset#last
208
- * Sequel::Dataset#[]
209
-
210
- Even stuff that looks like it may be safe isn't:
211
-
212
- DB[:table].first(params[:num_rows])
213
- # SQL injection when using auto_literal_strings extension
214
-
215
- The Model.find[rdoc-ref:Sequel::Model::ClassMethods#find] and
216
- Model.find_or_create[rdoc-ref:Sequel::Model::ClassMethods#find_or_create]
217
- class methods will also treat string arguments as literal strings if the
218
- auto_literal_strings extension is used:
219
-
220
- Album.find(params[:id])
221
- # SQL injection when using auto_literal_strings extension
222
-
223
- Similar to the filter methods, the auto_literal_strings extension
224
- also makes Sequel::Dataset#update treats a string argument as raw SQL:
225
-
226
- DB[:table].update("column = 1")
227
-
228
- So you should not do:
229
-
230
- DB[:table].update(params[:changes])
231
- # SQL injection when using auto_literal_strings extension
232
-
233
- or:
234
-
235
- DB[:table].update("column = #{params[:value].to_s}")
236
- # SQL injection when using auto_literal_strings extension
237
-
238
- Instead, you should do:
239
-
240
- DB[:table].update(column: params[:value].to_s) # Safe
241
-
242
- Because using the auto_literal_strings extension makes SQL injection
243
- so much eaiser, it is recommended to not use it, and instead
244
- use Sequel.lit with placeholders.
245
-
246
- === SQL Identifier Injections
247
-
248
- Usually, Sequel treats ruby symbols as SQL identifiers, and ruby
249
- strings as SQL strings. However, there are some parts of Sequel
250
- that treat ruby strings as SQL identifiers if an SQL string would
251
- not make sense in the same context.
252
-
253
- For example, Sequel::Database#from and Sequel::Dataset#from will treat a string as
254
- a table name:
255
-
256
- DB.from('t') # SELECT * FROM "t"
257
-
258
- Another place where Sequel treats ruby strings as identifiers are
259
- the Sequel::Dataset#insert and Sequel::Dataset#update methods:
260
-
261
- DB[:t].update('b'=>1) # UPDATE "t" SET "b" = 1
262
- DB[:t].insert('b'=>1) # INSERT INTO "t" ("b") VALUES (1)
263
-
264
- Note how the identifier is still quoted in these cases. Sequel quotes identifiers by default
265
- on most databases. However, it does not quote identifiers by default on DB2.
266
- On those databases using an identifier derived from user input can lead to SQL injection.
267
- Similarly, if you turn off identifier quoting manually on other databases, you open yourself
268
- up to SQL injection if you use identifiers derived from user input.
269
-
270
- When Sequel quotes identifiers, using an identifier derived from user input does not lead to
271
- SQL injection, since the identifiers are also escaped when quoting.
272
- Exceptions to this are Oracle (can't escape <tt>"</tt>) and Microsoft Access
273
- (can't escape <tt>]</tt>).
274
-
275
- In general, even if doesn't lead to SQL Injection, you should avoid using identifiers
276
- derived from user input unless absolutely necessary.
277
-
278
- Sequel also allows you to create identifiers using
279
- Sequel.identifier[rdoc-ref:Sequel::SQL::Builders#identifier] for plain identifiers,
280
- Sequel.qualify[rdoc-ref:Sequel::SQL::Builders#qualify] and
281
- Sequel::SQL::Indentifier#[][rdoc-ref:Sequel::SQL::QualifyingMethods#[]] for qualified identifiers, and
282
- Sequel.as[rdoc-ref:Sequel::SQL::Builders#as] for aliased expressions. So if you
283
- pass any of those values derived from user input, you are dealing with the same scenario.
284
-
285
- Note that the issues with SQL identifiers do not just apply to places where
286
- strings are used as identifiers, they also apply to all places where Sequel
287
- uses symbols as identifiers. However, if you are creating symbols from user input,
288
- you at least have a denial of service vulnerability in ruby <2.2, and possibly a
289
- more serious vulnerability.
290
-
291
- Note that many Database schema modification methods (e.g. create_table, add_column)
292
- also allow for SQL identifier injections, and possibly also SQL code injections.
293
- These methods should never be called with user input.
294
-
295
- == Denial of Service
296
-
297
- Sequel converts some strings to symbols. Because symbols in ruby <2.2 are not
298
- garbage collected, if the strings that are converted to symbols are
299
- derived from user input, you have a denial of service vulnerability due to
300
- memory exhaustion.
301
-
302
- The strings that Sequel converts to symbols are generally not derived
303
- from user input, so Sequel in general is not vulnerable to this. However,
304
- users should be aware of the cases in which Sequel creates symbols, so
305
- they do not introduce a vulnerability into their application.
306
-
307
- === Column Names/Aliases
308
-
309
- Sequel returns SQL result sets as an array of hashes with symbol keys. The
310
- keys are derived from the name that the database server gives the column. These
311
- names are generally static. For example:
312
-
313
- SELECT column FROM table
314
-
315
- The database will generally use "column" as the name in the result set.
316
-
317
- If you use an alias:
318
-
319
- SELECT column AS alias FROM table
320
-
321
- The database will generally use "alias" as the name in the result set. So
322
- if you allow the user to control the alias name:
323
-
324
- DB[:table].select(:column.as(params[:alias]))
325
-
326
- Then you can have a denial of service vulnerability. In general, such a vulnerability
327
- is unlikely, because you are probably indexing into the returned hash(es) by name,
328
- and if an alias was used and you didn't expect it, your application wouldn't work.
329
-
330
- === Database Connection Options
331
-
332
- All database connection options are converted to symbols. For a
333
- connection URL, the keys are generally fixed, but the scheme is turned
334
- into a symbol and the query option keys are used as connection option
335
- keys, so they are converted to symbols as well. For example:
336
-
337
- postgres://host/database?option1=foo&option2=bar
338
-
339
- Will result in :postgres, :option1, and :option2 symbols being created.
340
-
341
- Certain option values are also converted to symbols. In the general case,
342
- the sql_log_level option value is, but some adapters treat additional
343
- options similarly.
344
-
345
- This is not generally a risk unless you are allowing the user to control
346
- the connection URLs or are connecting to arbitrary databases at runtime.
347
-
348
- == Mass Assignment
349
-
350
- Mass assignment is the practice of passing a hash of columns and values
351
- to a single method, and having multiple column values for a given object set
352
- based on the content of the hash.
353
- The security issue here is that mass assignment may allow the user to
354
- set columns that you didn't intend to allow.
355
-
356
- The Model#set[rdoc-ref:Sequel::Model::InstanceMethods#set] and Model#update[rdoc-ref:Sequel::Model::InstanceMethods#update] methods do mass
357
- assignment. The default configuration of Sequel::Model allows all model
358
- columns except for the primary key column(s) to be set via mass assignment.
359
-
360
- Example:
361
-
362
- album = Album.new
363
- album.set(params[:album]) # Mass Assignment
364
-
365
- Both Model.new[rdoc-ref:Sequel::Model::InstanceMethods::new] and Model.create[rdoc-ref:Sequel::Model::ClassMethods#create]
366
- call Model#set[rdoc-ref:Sequel::Model::InstanceMethods#set] internally, so
367
- they also allow mass assignment:
368
-
369
- Album.new(params[:album]) # Mass Assignment
370
- Album.create(params[:album]) # Mass Assignment
371
-
372
- When the argument is derived from user input, instead of these methods, it is encouraged to either use
373
- Model#set_fields[rdoc-ref:Sequel::Model::InstanceMethods#set_fields] or
374
- Model#update_fields[rdoc-ref:Sequel::Model::InstanceMethods#update_fields],
375
- which allow you to specify which fields to allow on a per-call basis. This
376
- pretty much eliminates the chance that the user will be able to set a column
377
- you did not intend to allow:
378
-
379
- album.set_fields(params[:album], [:name, :copies_sold])
380
- album.update_fields(params[:album], [:name, :copies_sold])
381
-
382
- These two methods iterate over the second argument (+:name+ and +:copies_sold+ in
383
- this example) instead of iterating over the entries in the first argument
384
- (<tt>params[:album]</tt> in this example).
385
-
386
- If you want to override the columns that Model#set[rdoc-ref:Sequel::Model::InstanceMethods#set]
387
- allows by default during mass assignment, you can use the whitelist_security plugin, then call
388
- the set_allowed_columns class method.
389
-
390
- Album.plugin :whitelist_security
391
- Album.set_allowed_columns(:name, :copies_sold)
392
- Album.create(params[:album]) # Only name and copies_sold set
393
-
394
- Being explicit on a per-call basis using the set_fields and update_fields methods is recommended
395
- instead of using the whitelist_security plugin and setting a global whitelist.
396
-
397
- For more details on the mass assignment methods, see the {Mass Assignment Guide}[rdoc-ref:doc/mass_assignment.rdoc].
398
-
399
- == General Parameter Handling
400
-
401
- This issue isn't necessarily specific to Sequel, but it is a good general practice.
402
- If you are using values derived from user input, it is best to be explicit about
403
- their type. For example:
404
-
405
- Album.where(id: params[:id])
406
-
407
- is probably a bad idea. Assuming you are using a web framework, <tt>params[:id]</tt> could
408
- be a string, an array, a hash, nil, or potentially something else.
409
-
410
- Assuming that +id+ is an integer field, you probably want to do:
411
-
412
- Album.where(id: params[:id].to_i)
413
-
414
- If you are looking something up by name, you should try to enforce the value to be
415
- a string:
416
-
417
- Album.where(name: params[:name].to_s)
418
-
419
- If you are trying to use an IN clause with a list of id values based on input provided
420
- on a web form:
421
-
422
- Album.where(id: params[:ids].to_a.map(&:to_i))
423
-
424
- Basically, be as explicit as possible. While there aren't any known security issues
425
- in Sequel when you do:
426
-
427
- Album.where(id: params[:id])
428
-
429
- It allows the attacker to choose to do any of the following queries:
430
-
431
- id IS NULL # nil
432
- id = '1' # '1'
433
- id IN ('1', '2', '3') # ['1', '2', '3']
434
- id = ('a' = 'b') # {'a'=>'b'}
435
- id = ('a' IN ('a', 'b') AND 'c' = '') # {'a'=>['a', 'b'], 'c'=>''}
436
-
437
- While none of those allow for SQL injection, it's possible that they
438
- might have an issue in your application. For example, a long array
439
- or deeply nested hash might cause the database to have to do a lot of
440
- work that could be avoided.
441
-
442
- In general, it's best to let the attacker control as little as possible,
443
- and explicitly specifying types helps a great deal there.