Perfect.  Thanks Sylvain.  That is exactly the input I was looking for, and I agree completely.
(t's easy enough to protect against)

As for the thrift side (i.e. using Hector or Astyanax), anyone have a crafty way to inject something?

At first glance, it doesn't appear possible, but I'm not 100% confident making that assertion. 



Brian O'Neill

Lead Architect, Software Development

Health Market Science

The Science of Better Results

2700 Horizon Drive  King of Prussia, PA  19406

M: 215.588.6024 @boneill42

This information transmitted in this email message is for the intended recipient only and may contain confidential and/or privileged material. If you received this email in error and are not the intended recipient, or the person responsible to deliver it to the intended recipient, please contact the sender at the email above and delete this email and any attachments and destroy any copies thereof. Any review, retransmission, dissemination, copying or other use of, or taking any action in reliance upon, this information by persons or entities other than the intended recipient is strictly prohibited.


From: Sylvain Lebresne <>
Reply-To: <>
Date: Tuesday, June 18, 2013 8:51 AM
To: "" <>
Subject: Re: "SQL" Injection C* (via CQL & Thrift)

If you're not careful, then "CQL injection" is possible.

Say you naively build you query with
  "UPDATE foo SET col='" + user_input + "' WHERE key = 'k'"
then if user_input is "foo' AND col2='bar", your user will have overwritten a column it shouldn't have been able to. And something equivalent in a BATCH statement could allow to overwrite/delete some random row in some random table.

Now CQL being much more restricted than SQL (no subqueries, no generic transaction, ...), the extent of what you can do with a CQL injection is way smaller than in SQL. But you do have to be careful.

As far as the Datastax java driver is concerned, you can fairly easily protect yourself by using either:
1) prepared statements: if the user input is a prepared variable, there is nothing the user can do (it's "equivalent" to the thrift situation).
2) using the query builder: it will escape quotes in the strings you provided, thuse avoiding injection.

So I would say that injections are definitively possible if you concatenate strings too naively, but I don't think preventing them is very hard.


On Tue, Jun 18, 2013 at 2:02 PM, Brian O'Neill <> wrote:

Mostly for fun, I wanted to throw this out there...

We are undergoing a security audit for our platform (C* + Elastic Search + Storm).  One component of that audit is susceptibility to SQL injection.  I was wondering if anyone has attempted to construct a SQL injection attack against Cassandra?  Is it even possible?

I know the code paths fairly well, but...
Does there exists a path in the code whereby user data gets interpreted, which could be exploited to perform user operations?

From the Thrift side of things, I've always felt safe.  Data is opaque.  Serializers are used to convert it to Bytes, and C* doesn't ever really do anything with the data.

In examining the CQL java-driver, it looks like there might be a bit more exposure to injection.  (or even CQL over Thrift)  I haven't dug into the code yet, but dependent on which flavor of the API you are using, you may be including user data in your statements.  

Does anyone know if the CQL java-driver does anything to protect against injection?  Or is it possible to say that the syntax is strict enough that any embedded operations in data would not parse?

just some food for thought...
I'll be digging into this over the next couple weeks.  If people are interested, I can throw a blog post out there with the findings.


Brian ONeill
Lead Architect, Health Market Science (
twitter: @boneill42