Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Depending on your ODM, similar vulnerabilities may exist. For example, if you have a user finder that expects an ID parameter

    id=1
    User.where(:id => params[:id]).first
    User.where(:id => 1).first
Then I could construct a hash in the param:

    id[$gt]=0
This would perform the following find:

    User.where(:id => params[:id]).first
    User.where(:id => {"$gt" => 0}).first
Which will return the first user record (probably).

You should be performing casts (usually to strings) before you pass your data to your ODM.

    id[$gt]=0
    User.where(:id => params[:id].to_s).first
    User.where(:id => "{:$gt=>0}").first
This will correctly fail to a find a document.


Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: