SQL Injection vulnerability

[thegcat]

We have reviewed this plugin for a customer at Planio and have found several issues with this plugin, among which an SQL injection vulnerability in https://github.com/kamenf/redmine_watcher_groups/blob/master/app/controllers/watcher_groups_controller.rb#L18 that allows arbitrary SQL Code to be executed by the Database.

[maxrossello]

Would love to receive an example of parameters that can be used for an attack, and possibly a patch to merge.
Thank you!

[thegcat]

In WatcherGroupsController#create, ["watcher_group"]["group_ids"] is not sanitized before being passed to the raw SQL string, so passing on ; something as ["watcher_group"]["group_ids"] to WatcherGroupsController#create will result in:

   (0.2ms)  INSERT INTO `watchers` (`user_id`, `watchable_id`, `watchable_type`) VALUES (; something, 9, 'Issue')
Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '; something, 9, 'Issue')' at line 1: 
INSERT INTO `watchers` (`user_id`, `watchable_id`, `watchable_type`) VALUES (; something, 9, 'Issue')

This will obviously only crash the request, as you can pass arbitrary SQL to the database though this basically would allow an attacker to completely take over the Redmine data.

[thegcat]

See #10 for a minimal fix.

[maxrossello]

Fixed on my branch, please look at https://github.com/maxrossello/redmine_watcher_groups.
Thank you