mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
23 lines
710 B
Ruby
23 lines
710 B
Ruby
# Phase 21 (Track M.3) — Rails ActiveRecord migration vuln fixture.
|
|
#
|
|
# `AddIndex#up` invokes `execute(...)` with a raw, attacker-controlled
|
|
# table name concatenated into DDL — classic Rails migration SQLi.
|
|
|
|
# class AddIndex < ActiveRecord::Migration[7.0]
|
|
|
|
class AddIndex
|
|
attr_accessor :table_name
|
|
|
|
def up
|
|
name = @table_name || ENV['NYX_PAYLOAD'].to_s
|
|
# SINK: tainted table name spliced into raw DDL.
|
|
execute("CREATE INDEX idx_#{name} ON users(name)")
|
|
end
|
|
|
|
def execute(sql)
|
|
# The harness only asserts that execute() is invoked with the
|
|
# tainted SQL string. A real ActiveRecord::Base.connection would
|
|
# forward to the DB driver.
|
|
puts "MIGRATION_SQL: #{sql}"
|
|
end
|
|
end
|