Bug #5738
Updated by Peter Amstutz about 9 years ago
<pre>
$ bundle exec arv collection list --filters='[["uuid", "=", "su92l-4zz18-hll1sflwwh8ogk1"]]' --select '["writable_by"]'
Error: #<ActiveRecord::StatementInvalid: PG::SyntaxError: ERROR: syntax error at or near "FROM"
LINE 1: SELECT FROM "collections" WHERE (expires_at IS NULL or ex...
^
: SELECT FROM "collections" WHERE (expires_at IS NULL or expires_at > CURRENT_TIMESTAMP) AND ((collections.uuid = 'su92l-4zz18-hll1sflwwh8ogk1')) LIMIT 100 OFFSET 0>
</pre>
It's not obvious that this is exploitable, but the fact that we're generating an invalid SQL statement without catching the error earlier is very concerning.