Added SQL escaping for :limit and :offset [#288 state:closed] (Aaron Bedra, Steven Bristol, Jonathan Wiess)

activerecord/lib/active_record/connection_adapters/abstract/database_statements.rb

@@ -106,11 +106,16 @@ module ActiveRecord
       #  SELECT * FROM suppliers LIMIT 10 OFFSET 50
       def add_limit_offset!(sql, options)
         if limit = options[:limit]
-          sql << " LIMIT #{limit}"
+          sql << " LIMIT #{sanitize_limit(limit)}"
           if offset = options[:offset]
-            sql << " OFFSET #{offset}"
+            sql << " OFFSET #{offset.to_i}"
           end
         end
+        sql
+      end
+
+      def sanitize_limit(limit)
+        limit.to_s[/,/] ? limit.split(',').map{ |i| i.to_i }.join(',') : limit.to_i
       end
 
       # Appends a locking clause to an SQL statement.

activerecord/test/cases/adapter_test.rb

@@ -104,4 +104,24 @@ class AdapterTest < ActiveRecord::TestCase
     end
   end
 
+  def test_add_limit_offset_should_sanitize_sql_injection_for_limit_without_comas
+    sql_inject = "1 select * from schema"
+      assert_equal " LIMIT 1", @connection.add_limit_offset!("", :limit=>sql_inject)
+    if current_adapter?(:MysqlAdapter)
+      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+    else
+      assert_equal " LIMIT 1 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+    end
+  end
+
+  def test_add_limit_offset_should_sanitize_sql_injection_for_limit_with_comas
+    sql_inject = "1, 7 procedure help()"
+    if current_adapter?(:MysqlAdapter)
+      assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
+      assert_equal " LIMIT 7, 1", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+    else
+      assert_equal " LIMIT 1,7", @connection.add_limit_offset!("", :limit=>sql_inject)
+      assert_equal " LIMIT 1,7 OFFSET 7", @connection.add_limit_offset!("", :limit=>sql_inject, :offset=>7)
+    end
+  end
 end