Rails SQL injection vulnerability

Posted by Bryan Larsen on 2013-01-02

A SQL injection vulnerability has been found in ActiveRecord that impacts all versions of Rails:


I have released Hobo 1.3.3 that patches Hobo’s vulnerability to this issue.

if you are using Hobo 2.0 it is recommended that you upgrade to Rails 3.2.10, although I have also pushed the security patch to github master.

The Hobo fix only impacts Hobo’s usage. If you use find_by_ in your own code, you must fix those up yourself by coercing the input (find_by_foo(params[:foo].to_s1) for example) or by upgrading to a version of Rails without the vulnerability.