Skip to content

Commit c2cffd3

Browse files
pimpinclaude
andcommitted
Fix N1QL injection in nested Hash attribute updates
Parameterize Hash values in build_update_with_params using bind() instead of direct string interpolation, which was both a security vulnerability and defeated prepared-statement caching. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent 702c88c commit c2cffd3

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

lib/couchbase-orm/relation.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,7 @@ def build_update_with_params(params, **cond)
225225
end
226226
if value.is_a?(Hash)
227227
value.map do |k, v|
228-
"#{key}.#{k} = #{v}"
228+
"#{key}.#{k} = #{@model.bind(v, params)}"
229229
end.join(", ") + for_clause
230230
else
231231
"#{key} = #{@model.bind(value, params)}#{for_clause}"

0 commit comments

Comments
 (0)