Exactly, SQL injection happens because people construct SQL statements
themselves and aren’t aware of correct escaping edge cases. Use a library to
convert between Ruby and JSON, and you’ll be fine on that front. The same
applies to SQL really. SQL injection is impossible if you pass Ruby objects
directly into an SQL library and let it escape them.
Security as a topic is much too large to cover in a mailing list, but the same
principle applies. Use proven libraries, and don’t try to do too much security
yourself. It’s hard, and you will most likely get it wrong. Especially crypto.
Specific to Riak though, ensure you lock it down. It applies to any database
really, but if you can, remove any direct internet access from the boxes,
firewall every port you can. If you are using protocol buffers, you can
disable HTTP access as well, it makes it a bit harder for an attacker. Run
Riak on a non-standard port, firewall communication between the Riak nodes.
Riak can also use a TLS certificate to encrypt handoff traffic which can
prevent data interception between Riak nodes.
That is by no means a complete list, but a starting point at least. Security
is a mindset, remove anything you don’t need, because the more tools you give
an attacker, the worse things get, even if you think they are harmless.
Hope that helps,
Jason
> On 13 Dec 2014, at 02:28, Kyle Marek-Spartz <kyle.marek.spa...@gmail.com>
> wrote:
>
> Ruby should "do the right thing" and escape your content appropriately,
> that is, if you have a Ruby hash of:
>
> {'test' => 'yes", "injection": "oops!"'}
>
> JSON.dump will give you:
>
> {"test":"yes\", \"injection\": \"oops!\""}
>
>
> J. Austin Hughey writes:
>
>> Thank you very much for the explanation, Jason. My example attack was
>> probably a bit “off”, but the basic use case I’m thinking of is an API. Say
>> I have an API that accepts JSON. The user has “spoofed” the JSON input to
>> the API, possibly setting an “admin” flag or something (doesn’t matter what,
>> specifically, just an example of how a property may be set). Assuming no
>> other business logic validation (which of course I DEFINITELY plan to
>> implement), I was simply curious if, when sending info directly to Riak as
>> JSON, if the client did anything to sanitize input from injection.
>>
>> Think SQL injection, but JSON instead. Data is data, representation
>> implementation differs, but the same concerns apply. I’m just trying to see
>> what I need to do to prevent that injection-style attack from happening.
>>
>> Sounds like, based on your response (thanks again, by the way!), I need to
>> validate the Ruby object after it’s created and ensure no invalid attributes
>> or values exist, prior to its being sent to Riak.
>>
>> Any additional thoughts on other security concerns I should have here? I’m
>> new to “NoSQL” and I like Riak due to its operational model, so I’d like to
>> use it more often. I just need to know what I’m doing before I put an app
>> out into the wild!
>>
>> Thanks again.
>
> --
> Kyle Marek-Spartz
_______________________________________________
riak-users mailing list
riak-users@lists.basho.com
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
