From user-return-34665-apmail-cassandra-user-archive=cassandra.apache.org@cassandra.apache.org Tue Jun 18 13:54:48 2013 Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3FA07100B7 for ; Tue, 18 Jun 2013 13:54:48 +0000 (UTC) Received: (qmail 51526 invoked by uid 500); 18 Jun 2013 13:47:27 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 51169 invoked by uid 500); 18 Jun 2013 13:47:25 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 51148 invoked by uid 99); 18 Jun 2013 13:47:24 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jun 2013 13:47:24 +0000 X-ASF-Spam-Status: No, hits=1.8 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,MIME_QP_LONG_LINE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of boneill42@gmail.com designates 209.85.213.170 as permitted sender) Received: from [209.85.213.170] (HELO mail-ye0-f170.google.com) (209.85.213.170) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Jun 2013 13:47:17 +0000 Received: by mail-ye0-f170.google.com with SMTP id q3so1349757yen.1 for ; Tue, 18 Jun 2013 06:46:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:user-agent:date:subject:from:to:message-id:thread-topic :in-reply-to:mime-version:content-type; bh=gI8U7dsnP4BDnjSepZp6Fl3CSVw6/nyT0hwlsnyk7Bk=; b=fIGisUwFugrrvqUBJTohVwjKMWa8VP6VsVMRPeyBlp5LXtcSksjAc2VhCdAubh66mP TloXplv4ppureV+sGu6NeegWk0w8s9ZhG5938WCu1ltZhXbs2jmPz2k2vRKey4xe6wEn Vp6bDWrX5cGJ88++xeYsRroBWYdB/H5n7l3GdJy07TZ+v9AxTXEzhVBIiv6lyZRy8V6L u3Ky5O4f9vZxIReQkYzkNyKKgGmY3QWHMAcgtCNLPSMUrmOg0xWJax+AuBP4jkqwL7t4 gCqcI4+Ou10RtUVC7S5FNpQzG7hOx4CiJc/9SdLB5TJLqXr6o7Uk1uL+nCNghfVsAgnX vdXQ== X-Received: by 10.236.154.37 with SMTP id g25mr2733187yhk.216.1371563216701; Tue, 18 Jun 2013 06:46:56 -0700 (PDT) Received: from [10.60.71.81] ([67.132.206.254]) by mx.google.com with ESMTPSA id j64sm30659223yhj.25.2013.06.18.06.46.53 for (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 18 Jun 2013 06:46:55 -0700 (PDT) Sender: "Brian O'Neill" User-Agent: Microsoft-MacOutlook/14.3.1.130117 Date: Tue, 18 Jun 2013 09:46:49 -0400 Subject: Re: "SQL" Injection C* (via CQL & Thrift) From: Brian O'Neill To: Message-ID: Thread-Topic: "SQL" Injection C* (via CQL & Thrift) In-Reply-To: Mime-version: 1.0 Content-type: multipart/alternative; boundary="B_3454393614_2775787" X-Virus-Checked: Checked by ClamAV on apache.org > This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --B_3454393614_2775787 Content-type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Perfect. Thanks Sylvain. That is exactly the input I was looking for, and I agree completely. (t's easy enough to protect against) As for the thrift side (i.e. using Hector or Astyanax), anyone have a craft= y way to inject something? At first glance, it doesn't appear possible, but I'm not 100% confident making that assertion. -brian --- Brian O'Neill Lead Architect, Software Development Health Market Science The Science of Better Results 2700 Horizon Drive =80 King of Prussia, PA =80 19406 M: 215.588.6024 =80 @boneill42 =80 healthmarketscience.com This information transmitted in this email message is for the intended recipient only and may contain confidential and/or privileged material. If you received this email in error and are not the intended recipient, or the person responsible to deliver it to the intended recipient, please contact the sender at the email above and delete this email and any attachments and destroy any copies thereof. Any review, retransmission, dissemination, copying or other use of, or taking any action in reliance upon, this information by persons or entities other than the intended recipient is strictly prohibited. =20 From: Sylvain Lebresne Reply-To: Date: Tuesday, June 18, 2013 8:51 AM To: "user@cassandra.apache.org" Subject: Re: "SQL" Injection C* (via CQL & Thrift) If you're not careful, then "CQL injection" is possible. Say you naively build you query with "UPDATE foo SET col=3D'" + user_input + "' WHERE key =3D 'k'" then if user_input is "foo' AND col2=3D'bar", your user will have overwritten a column it shouldn't have been able to. And something equivalent in a BATC= H statement could allow to overwrite/delete some random row in some random table. Now CQL being much more restricted than SQL (no subqueries, no generic transaction, ...), the extent of what you can do with a CQL injection is wa= y smaller than in SQL. But you do have to be careful. As far as the Datastax java driver is concerned, you can fairly easily protect yourself by using either: 1) prepared statements: if the user input is a prepared variable, there is nothing the user can do (it's "equivalent" to the thrift situation). 2) using the query builder: it will escape quotes in the strings you provided, thuse avoiding injection. So I would say that injections are definitively possible if you concatenate strings too naively, but I don't think preventing them is very hard. -- Sylvain On Tue, Jun 18, 2013 at 2:02 PM, Brian O'Neill wrote: >=20 > Mostly for fun, I wanted to throw this out there... >=20 > We are undergoing a security audit for our platform (C* + Elastic Search = + > Storm). One component of that audit is susceptibility to SQL injection. = I > was wondering if anyone has attempted to construct a SQL injection attack > against Cassandra? Is it even possible? >=20 > I know the code paths fairly well, but... > Does there exists a path in the code whereby user data gets interpreted, = which > could be exploited to perform user operations? >=20 > From the Thrift side of things, I've always felt safe. Data is opaque. > Serializers are used to convert it to Bytes, and C* doesn't ever really d= o > anything with the data. >=20 > In examining the CQL java-driver, it looks like there might be a bit more > exposure to injection. (or even CQL over Thrift) I haven't dug into the= code > yet, but dependent on which flavor of the API you are using, you may be > including user data in your statements. >=20 > Does anyone know if the CQL java-driver does anything to protect against > injection? Or is it possible to say that the syntax is strict enough tha= t any > embedded operations in data would not parse? >=20 > just some food for thought... > I'll be digging into this over the next couple weeks. If people are > interested, I can throw a blog post out there with the findings. >=20 > -brian >=20 > --=20 > Brian ONeill > Lead Architect, Health Market Science (http://healthmarketscience.com) > mobile:215.588.6024 > blog: http://brianoneill.blogspot.com/ > twitter: @boneill42 --B_3454393614_2775787 Content-type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable

Perfect.=  Thanks Sylvain.  That is exactly the input I was looking for, an= d I agree completely.
(t's easy enough to protect against)

As for the thrift side (i.e. using Hector or Astyanax), an= yone have a crafty way to inject something?

At firs= t glance, it doesn't appear possible, but I'm not 100% confident making that= assertion. 

-brian

<= p class=3D"MsoNormal" style=3D"font-family: Calibri, sans-serif; font-size: 14px= ; margin: 0in 0in 0.0001pt; ">---

Brian O'Neill

Lead Architect, Software Development

Health Market Science

The Science of B= etter Results

2700= Horizon Drive  King of Prussia, PA  19406

M: 215.588.6024 @boneill42    

healthmarket= science.com


This information transmitted in this e= mail message is for the intended recipient only and may contain confidential= and/or privileged material. If you received this email in error and are not= the intended recipient, or the person responsible to deliver it to the inte= nded recipient, please contact the sender at the email above and delete this= email and any attachments and destroy any copies thereof. Any review, retra= nsmission, dissemination, copying or other use of, or taking any action in r= eliance upon, this information by persons or entities other than the intende= d recipient is strictly prohibited.

 


From: Sylvain Lebresne <= sylvain@datastax.com>
Reply-To: <user@cassandra.apache.or= g>
Date: Tuesday, June 18, = 2013 8:51 AM
To: "user@cassandra.apache.org" <user@cassandra.apache.org>
Subject: Re: "SQL" Injection C* (via CQL & = Thrift)

If you're not careful, t= hen "CQL injection" is possible.

Say you naively bu= ild you query with
  "UPDATE foo SET col=3D'" + user_input + "'= WHERE key =3D 'k'"
then if user_input is "foo' AND col2=3D'bar", your= user will have overwritten a column it shouldn't have been able to. And som= ething equivalent in a BATCH statement could allow to overwrite/delete some = random row in some random table.

Now CQL being much= more restricted than SQL (no subqueries, no generic transaction, ...), the = extent of what you can do with a CQL injection is way smaller than in SQL. B= ut you do have to be careful.

As far as the Datasta= x java driver is concerned, you can fairly easily protect yourself by using = either:
1) prepared statements: if the user input is a prepared va= riable, there is nothing the user can do (it's "equivalent" to the thrift si= tuation).
2) using the query builder: it will escape quotes in the= strings you provided, thuse avoiding injection.

So= I would say that injections are definitively possible if you concatenate st= rings too naively, but I don't think preventing them is very hard.

--
Sylvain


On Tue, Jun 18, 2013 at 2:02 PM, Bria= n O'Neill <bone@alumni.brown.edu> wrote:

Mostly for fun, I wanted to throw this out there..= .

We are undergoing a security audit for our platfo= rm (C* + Elastic Search + Storm).  One component of that audit is = susceptibility to SQL injection.  I was wondering if anyone has at= tempted to construct a SQL injection attack against Cassandra?  Is it e= ven possible?

I know the code paths fairly well, bu= t...
Does there exists a path in the code whereby user data gets&n= bsp;interpreted, which could be exploited to perform user operations?
<= div>
From the Thrift side of things, I've always felt safe.  D= ata is opaque.  Serializers are used to convert it to Bytes, and C* doe= sn't ever really do anything with the data.

In examining = the CQL java-driver, it looks like there might be a bit more exposure to inj= ection.  (or even CQL over Thrift)  I haven't dug into the code ye= t, but dependent on which flavor of the API you are using, you may be includ= ing user data in your statements.  

Does anyon= e know if the CQL java-driver does anything to protect against injection? &n= bsp;Or is it possible to say that the syntax is strict enough that any embed= ded operations in data would not parse?

just some f= ood for thought...
I'll be digging into this over the next couple = weeks.  If people are interested, I can throw a blog post out there wit= h the findings.

-brian

--
Brian ONeill
Lead Architect, Heal= th Market Science (= http://healthmarketscience.com)
mobile:215.588.6024
blog: http://brianoneill.blogsp= ot.com/
twitter: @boneill42

--B_3454393614_2775787--