Patch for Ruby on Rails 2.1.x SQL Injection (CVE-2012-2695)

sql_injection_patch_for_rails_2_1_series.rb

# Adapted patch for CVE-2012-2695 Ruby on Rails SQL Injection for rails 2.1.x versinos
# http://seclists.org/oss-sec/2012/q2/att-504/2-3-sql-injection.patch
# 1- Drop it at your_app/config/initializers/
# 2- Remember to pass your tests/specs
# 3- Profit!
module ActiveRecord
  class Base

    class << self

      alias_method :sanitize_sql_hash_for_conditions_vulnerable, :sanitize_sql_hash_for_conditions

      def sanitize_sql_hash_for_conditions(attrs, top_level = true)
        attrs = expand_hash_conditions_for_aggregates(attrs)

        conditions = attrs.map do |attr, value|
          if not value.is_a?(Hash)
            attr = attr.to_s

            # Extract table name from qualified attribute names.
            if attr.include?('.') and top_level 
              table_name, attr = attr.split('.', 2)
              table_name = connection.quote_table_name(table_name)
            else
              table_name = quoted_table_name
            end

            "#{table_name}.#{connection.quote_column_name(attr)} #{attribute_condition(value)}"
          elsif top_level
            sanitize_sql_hash_for_conditions(value, false)
          else
            raise ActiveRecord::StatementInvalid
          end
        end.join(' AND ')

        replace_bind_variables(conditions, expand_range_bind_variables(attrs.values))
      end
      alias_method :sanitize_sql_hash, :sanitize_sql_hash_for_conditions

    end
  end
end