I was trying to understand the possibility of SQLi in a Rails Application, that I am currently auditing for a client, that uses Active Record 4.2.0.
Now, I have limited experience with RoR so please bear with me on this. While looking through a query of the form :
@order = Order.find_by(external_order_id: params['id'], source_user_id: @user.id) if params['id'].present?
and going through multiple security advisory around RoR security, (like RoR Security Cheat Sheet) I understand that find_by method of Active Record COULD be dangerous to use.
Now to understand this fact better, I also tried going through the application logs to see what is the exact SQL query that gets formed when the above Active Record code gets hit. From my analysis I understand that params['id'] is the user input that gets to be part of the underlying SQL query directly. However, if I try injecting a SQLi payload in this parameter, the single quotes get escaped as \'
Now some further reading revealed that Active Record by default escapes user input (Please correct me if I am wrong here)
So if the above is the case, it means that the use of find_by, like in the above case, is completely safe. Or is it not? If not, what could be the possible bypasses for the escaping implemented by Active Record ? Or is there another payload that could help me prove that SQLi is possible with the find_by method as used above as mentioned in the cheat sheet linked above.
