incubator-cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aaron morton <aa...@thelastpickle.com>
Subject Re: "SQL" Injection C* (via CQL & Thrift)
Date Thu, 20 Jun 2013 09:15:49 GMT
> As for the thrift side (i.e. using Hector or Astyanax), anyone have a crafty way to inject
something?

The only thing I've ever heard of coming close was a thrift bug that allowed a malformed request
to crash the server. But that was a while ago https://issues.apache.org/jira/browse/CASSANDRA-475

Cheers

-----------------
Aaron Morton
Freelance Cassandra Consultant
New Zealand

@aaronmorton
http://www.thelastpickle.com

On 19/06/2013, at 1:46 AM, Brian O'Neill <bone@alumni.brown.edu> wrote:

> 
> Perfect.  Thanks Sylvain.  That is exactly the input I was looking for, and I agree completely.
> (t's easy enough to protect against)
> 
> As for the thrift side (i.e. using Hector or Astyanax), anyone have a crafty way to inject
something?
> 
> At first glance, it doesn't appear possible, but I'm not 100% confident making that assertion.

> 
> -brian
> 
> ---
> Brian O'Neill
> Lead Architect, Software Development
> Health Market Science
> The Science of Better Results
> 2700 Horizon Drive • King of Prussia, PA • 19406
> M: 215.588.6024 • @boneill42  •  
> healthmarketscience.com
> 
> This information transmitted in this email message is for the intended recipient only
and may contain confidential and/or privileged material. If you received this email in error
and are not the intended recipient, or the person responsible to deliver it to the intended
recipient, please contact the sender at the email above and delete this email and any attachments
and destroy any copies thereof. Any review, retransmission, dissemination, copying or other
use of, or taking any action in reliance upon, this information by persons or entities other
than the intended recipient is strictly prohibited.
>  
> 
> 
> From: Sylvain Lebresne <sylvain@datastax.com>
> Reply-To: <user@cassandra.apache.org>
> Date: Tuesday, June 18, 2013 8:51 AM
> To: "user@cassandra.apache.org" <user@cassandra.apache.org>
> Subject: Re: "SQL" Injection C* (via CQL & Thrift)
> 
> If you're not careful, then "CQL injection" is possible.
> 
> Say you naively build you query with
>   "UPDATE foo SET col='" + user_input + "' WHERE key = 'k'"
> then if user_input is "foo' AND col2='bar", your user will have overwritten a column
it shouldn't have been able to. And something equivalent in a BATCH statement could allow
to overwrite/delete some random row in some random table.
> 
> Now CQL being much more restricted than SQL (no subqueries, no generic transaction, ...),
the extent of what you can do with a CQL injection is way smaller than in SQL. But you do
have to be careful.
> 
> As far as the Datastax java driver is concerned, you can fairly easily protect yourself
by using either:
> 1) prepared statements: if the user input is a prepared variable, there is nothing the
user can do (it's "equivalent" to the thrift situation).
> 2) using the query builder: it will escape quotes in the strings you provided, thuse
avoiding injection.
> 
> So I would say that injections are definitively possible if you concatenate strings too
naively, but I don't think preventing them is very hard.
> 
> --
> Sylvain
> 
> 
> On Tue, Jun 18, 2013 at 2:02 PM, Brian O'Neill <bone@alumni.brown.edu> wrote:
>> 
>> Mostly for fun, I wanted to throw this out there...
>> 
>> We are undergoing a security audit for our platform (C* + Elastic Search + Storm).
 One component of that audit is susceptibility to SQL injection.  I was wondering if anyone
has attempted to construct a SQL injection attack against Cassandra?  Is it even possible?
>> 
>> I know the code paths fairly well, but...
>> Does there exists a path in the code whereby user data gets interpreted, which could
be exploited to perform user operations?
>> 
>> From the Thrift side of things, I've always felt safe.  Data is opaque.  Serializers
are used to convert it to Bytes, and C* doesn't ever really do anything with the data.
>> 
>> In examining the CQL java-driver, it looks like there might be a bit more exposure
to injection.  (or even CQL over Thrift)  I haven't dug into the code yet, but dependent on
which flavor of the API you are using, you may be including user data in your statements.
 
>> 
>> Does anyone know if the CQL java-driver does anything to protect against injection?
 Or is it possible to say that the syntax is strict enough that any embedded operations in
data would not parse?
>> 
>> just some food for thought...
>> I'll be digging into this over the next couple weeks.  If people are interested,
I can throw a blog post out there with the findings.
>> 
>> -brian
>> 
>> -- 
>> Brian ONeill
>> Lead Architect, Health Market Science (http://healthmarketscience.com)
>> mobile:215.588.6024
>> blog: http://brianoneill.blogspot.com/
>> twitter: @boneill42
> 


Mime
View raw message