mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-03 20:41:00 +02:00
24 lines
710 B
Ruby
24 lines
710 B
Ruby
|
|
# Phase 21 (Track M.3) — Rails ActiveRecord migration vuln fixture.
|
||
|
|
#
|
||
|
|
# `AddIndex#up` invokes `execute(...)` with a raw, attacker-controlled
|
||
|
|
# table name concatenated into DDL — classic Rails migration SQLi.
|
||
|
|
|
||
|
|
# class AddIndex < ActiveRecord::Migration[7.0]
|
||
|
|
|
||
|
|
class AddIndex
|
||
|
|
attr_accessor :table_name
|
||
|
|
|
||
|
|
def up
|
||
|
|
name = @table_name || ENV['NYX_PAYLOAD'].to_s
|
||
|
|
# SINK: tainted table name spliced into raw DDL.
|
||
|
|
execute("CREATE INDEX idx_#{name} ON users(name)")
|
||
|
|
end
|
||
|
|
|
||
|
|
def execute(sql)
|
||
|
|
# The harness only asserts that execute() is invoked with the
|
||
|
|
# tainted SQL string. A real ActiveRecord::Base.connection would
|
||
|
|
# forward to the DB driver.
|
||
|
|
puts "MIGRATION_SQL: #{sql}"
|
||
|
|
end
|
||
|
|
end
|