Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 42AB66909 for ; Sun, 3 Jul 2011 00:12:54 +0000 (UTC) Received: (qmail 78293 invoked by uid 500); 3 Jul 2011 00:12:52 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 78170 invoked by uid 500); 3 Jul 2011 00:12:51 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 78158 invoked by uid 99); 3 Jul 2011 00:12:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 00:12:51 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [67.192.241.161] (HELO smtp161.dfw.emailsrvr.com) (67.192.241.161) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Jul 2011 00:12:46 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp6.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 190F8270631 for ; Sat, 2 Jul 2011 20:12:26 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp6.relay.dfw1a.emailsrvr.com (Authenticated sender: eevans-AT-racklabs.com) with ESMTPSA id E93B527050E for ; Sat, 2 Jul 2011 20:12:25 -0400 (EDT) Subject: Re: CQL injection attacks? From: Eric Evans To: user@cassandra.apache.org In-Reply-To: <1309630640.4e0f60b01d222@itchen.qinetiq.com> References: <1309374771.4e0b7933ac960@itchen.qinetiq.com> <1309630640.4e0f60b01d222@itchen.qinetiq.com> Content-Type: text/plain; charset="UTF-8" Date: Sat, 02 Jul 2011 19:12:32 -0500 Message-ID: <1309651952.2053.51.camel@erebus.lan> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 Content-Transfer-Encoding: 7bit On Sat, 2011-07-02 at 19:17 +0100, dnallsopp@taz.qinetiq.com wrote: > Just to illustrate; the typical injection pattern is: > > String user = getUserName() > String cql = "select * from users where KEY='"+user+"';" > execute_cql(cql) > > Now, if the user string is obtained from an external source (e.g. web > form or > other UI), then the attacker may enter a username of: > > jsmith'; DROP COLUMNFAMILY 'users > > which results in a CQL query of: > > select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users'; No, each CQL query must contain exactly one statement, so this sort of attack would not work. And, as a rule of thumb, there are also no statement types that contain other statements, which would be another common vector for an injection. Now, there are batch statements for INSERT and UPDATE that are essentially a collection of statements for that type. That's probably enough to say that, hypothetically speaking, it's possible in the presence of an extremely buggy driver implementation, and some very sloppy client code, for a clever attacker to create a new record (or overwrite an existing one). TTBMK, there are currently no drivers with bugs that egregious, so make use of the driver's parameter substitution, sanitize your input, and you shouldn't have anything to worry about (there is almost certainly less risk of an injection attack than with SQL). -- Eric Evans eevans@rackspace.com