Rails SQL Injection

A serious security vulnerability in all released versions of Rails was announced on the Ruby on Rails Security list on January second. You can read more about the details in the original post here and follow the CVE case here. The short version is that all extant versions of the ActiveRecord ORM were vulnerable to an SQL injection attack.

Fortunately, we eat our own dog food at Solano Labs, so upgrading, testing, and deploying the patched version of the software stack was straightforward. In fact, it was less than 45 minutes from the time the vulnerability alert was first mentioned in our internal chat to the time when the update was tested in Tddium and the deployments started going out. We immediately patched not only our production system, but also our staging environments and the few pieces of infrastructure that are also Rails applications. Continuous Integration and Delivery made for a quick, high-assurance turnaround on a critical update. Little Bobby Tables, eat your heart out!

Post a Comment