escape_string truncating with null byte

Issue #208 wontfix
Peter Blay
created an issue

Tested with: PostgreSql 9.4.1 pg gem 0.18.1 ruby 1.9.3p551 Mac OS X 10.10.2

it seems to be that escape_string, either the class or instance method version isn't taking into account null bytes. So for example:

conn = PG::Connection.open("dbname=test") s = conn.escape_string("hello\x00 world")

now s == "hello"

Although there's a lower chance of it, this could plausibly allow SQL injection into non-string parameters via truncation, such as:

query = conn.escape_string("SELECT * FROM users WHERE age < #{userInput} AND salary > 100000") conn.exec(query)

if userInput were: "25 or 1<15\x00" would turn the query into: "SELECT * FROM users WHERE age < 25 or 1<15" which would return the entire table.

Of course, escape_string() should probably be used for escaping string inputs instead of things that are expected to be numeric, but it wouldn't be that surprising for somebody to use this function in this way.

Comments (2)

  1. Log in to comment