Recently at @Betterment, we discovered a low-impact SQL injection vulnerability in the CTE alias functionality of ctes_in_my_pg. The surface area is fairly small, and would only be an issue if you were using unsanitized user input as the hash key to a with clause. Nonetheless, it seems like a worthwhile thing to patch, especially since we already have the pg dependency in this project.
The actual change is to use the PG::Connection.quote_ident(1) instead of trying to add the double quotes around the identifier manually. This has better support for special characters which should prevent a possible SQLi.
Recently at @Betterment, we discovered a low-impact SQL injection vulnerability in the CTE alias functionality of ctes_in_my_pg. The surface area is fairly small, and would only be an issue if you were using unsanitized user input as the hash key to a
with
clause. Nonetheless, it seems like a worthwhile thing to patch, especially since we already have thepg
dependency in this project.The actual change is to use the
PG::Connection.quote_ident
(1) instead of trying to add the double quotes around the identifier manually. This has better support for special characters which should prevent a possible SQLi.1: http://www.rubydoc.info/gems/pg/PG/Connection:quote_ident