Riak is binary storage, if there is an injection attack, it will be done
against the Ruby portion, not against Riak.
The example you listed gives a ParserError when trying to load it via JSON, so
I don’t understand how it could even get far enough in your code to reach Riak,
unless you are not validating user input at all and just storing it in Riak.
There is nothing wrong with that, but then anything coming out of Riak should
be considered untrusted and handled accordingly.
A typical workflow would be something like this:
1. Load user input (a string) as JSON. This will provide a Ruby object
representing the JSON
2. Validate / business logic / whatever you want
3. Save the Ruby object (or a changed one) in Riak via the client
4. The Ruby client will convert it to JSON and store the JSON in Riak
5. On the next request, the Ruby client will load the JSON from Riak and
convert it back to a Ruby object
So an “injection” object will either fail 1 (like this one) because it’s
invalid and doesn’t parse or it will fail 2 because you aren’t letting users
set the admin flag without permission (right?). I’m not sure how to get to
step 3 without a seriously flawed JSON library or not checking obvious things.
Regardless though, the injection attack isn’t hidden at any point. If it
parses, it will be a Ruby object with all the properties in plain sight, right
up until you save it into Riak.
If I misunderstood, I’m sorry. If so, can you clarify what assumption was
wrong?
Hopefully this helps a bit,
Jason
> On 12 Dec 2014, at 22:30, J. Austin Hughey <jaustinhug...@gmail.com> wrote:
>
>
> Hi,
>
> I’m fairly new to Riak, and I haven’t seen a clear answer to this question
> through Google, so I’m going to ask the list here.
>
> Do I need to sanitize user input BEFORE sending to the Riak client, or does
> the client handle sanitization? (I plan to use the Ruby client, but I may
> want to use a different language client later on too depending on the
> project.)
>
> I can see the potential for injection here being a real issue:
>
> {
> “username”:”bob”,
> “password_hash”:”abc123xyz\””,”admin”:”true"
> }
>
> …or something like that. You get the idea. I’m just trying to get it right
> before I start building something that’s just begging to get owned.
>
> Thanks.
>
> --
> J. Austin Hughey
>
>
> _______________________________________________
> riak-users mailing list
> riak-users@lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
