incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Evans <eev...@rackspace.com>
Subject Re: CQL injection attacks?
Date Sun, 03 Jul 2011 00:12:32 GMT
On Sat, 2011-07-02 at 19:17 +0100, dnallsopp@taz.qinetiq.com wrote:
> Just to illustrate; the typical injection pattern is:
> 
> String user = getUserName()
> String cql = "select * from users where KEY='"+user+"';"
> execute_cql(cql)
> 
> Now, if the user string is obtained from an external source (e.g. web
> form or
> other UI), then the attacker may enter a username of:
> 
> jsmith'; DROP COLUMNFAMILY 'users
> 
> which results in a CQL query of:
> 
> select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users'; 

No, each CQL query must contain exactly one statement, so this sort of
attack would not work.

And, as a rule of thumb, there are also no statement types that contain
other statements, which would be another common vector for an
injection.  

Now, there are batch statements for INSERT and UPDATE that are
essentially a collection of statements for that type.  That's probably
enough to say that, hypothetically speaking, it's possible in the
presence of an extremely buggy driver implementation, and some very
sloppy client code, for a clever attacker to create a new record (or
overwrite an existing one).

TTBMK, there are currently no drivers with bugs that egregious, so make
use of the driver's parameter substitution, sanitize your input, and you
shouldn't have anything to worry about (there is almost certainly less
risk of an injection attack than with SQL).

-- 
Eric Evans
eevans@rackspace.com


Mime
View raw message