Mostly for fun, I wanted to throw this out there...

We are undergoing a security audit for our platform (C* + Elastic Search + Storm).  One component of that audit is susceptibility to SQL injection.  I was wondering if anyone has attempted to construct a SQL injection attack against Cassandra?  Is it even possible?

I know the code paths fairly well, but...
Does there exists a path in the code whereby user data gets interpreted, which could be exploited to perform user operations?

From the Thrift side of things, I've always felt safe.  Data is opaque.  Serializers are used to convert it to Bytes, and C* doesn't ever really do anything with the data.

In examining the CQL java-driver, it looks like there might be a bit more exposure to injection.  (or even CQL over Thrift)  I haven't dug into the code yet, but dependent on which flavor of the API you are using, you may be including user data in your statements.  

Does anyone know if the CQL java-driver does anything to protect against injection?  Or is it possible to say that the syntax is strict enough that any embedded operations in data would not parse?

just some food for thought...
I'll be digging into this over the next couple weeks.  If people are interested, I can throw a blog post out there with the findings.


Brian ONeill
Lead Architect, Health Market Science (
twitter: @boneill42