Rails 3 - secure sorting field via data from params

Question

I have controller with such methods:

  def index
    state = state_filter()

    if state
      ...
    else
      @clients = Client.paginate(:page => params[:page], :per_page => 30).order(sort_column + ' ' + sort_direction)
    end
  end

  ...
  def sort_direction
    %w[asc desc].include?(params[:direction]) ?  params[:direction] : "asc"
  end

  def sort_column
    Client.column_names.include?(params[:sort]) ? params[:sort] : "title"
  end

I scanned my app via brakeman gem and it founded that i have possible SQL injection in index method in sorting. I tried to solve this to rewrite my methods like this:

def sort_direction
  case params[:direction]
    when "asc" then "asc"
    when "desc" then "desc"
    else "asc"                                                                                    
  end
end

def sort_column
  case params[:sort]
    when "title" then "title"
    when "state" then "state"
    when "created_at" then "created_at"
    else "title"                                                                                  
  end
end

But gem still thinks that i have the vulnerability. What is a correct way to fix this problem? Do i really need to deal somehow with that?

can you shows us an example of a possible SQL injection in your case? I thought Rails 3 would sanitize the ARel queries by default and therefore not allow that to happen. — ChuckE, Jan 22 '13 at 11:39
This is bizarrely similar to [this question](http://stackoverflow.com/questions/13619195/rails-brakeman-order-sql-injection/13661521), even using the same method names and using helper methods in the controller for something I would think belongs in a model. In any case, please see my answer there. — Justin, Jan 22 '13 at 20:40

Rails 3 - secure sorting field via data from params

0 Answers0