Quoting Stephen Connolly <stephen.alan.conno...@gmail.com>: All,
As Stephen said, regardless of the transfer protocol, if the content is parsed, then there is the potential for attacks. Just to illustrate; the typical injection pattern is: String user = getUserName() String cql = "select * from users where KEY='"+user+"';" execute_cql(cql) Now, if the user string is obtained from an external source (e.g. web form or other UI), then the attacker may enter a username of: jsmith'; DROP COLUMNFAMILY 'users which results in a CQL query of: select * from users where KEY='jsmith'; DROP COLUMNFAMILY 'users'; Ouch. See also the obligatory XKCD cartoon: http://xkcd.com/327/ I guess one way to protect against this would be to pre-encode 'tainted' inputs as hex bytes, e.g. (using the examples from https://github.com/rantav/hector/wiki/Using-CQL) update Standard1 set '626972746879656172' = '31393736' WHERE KEY = '6d796b657931' instead of update StandardLong1 set 'birthyear' = '1976' WHERE KEY = 'mykey1' which ensures that there aren't any single quotes or other dangerous characters in those inputs - though I'm not sure if this works if you've set validators/comparators other than BytesType? > nate, > > that is not relevant. cql is a text query that gets parsed. without > parameters you have to build the query by string concatenation. if i give > you a string which contains a single quote, unless you have written your app > to escape that quote, i can force a corrupted query on you that does > something else. .. cql injection attacks > > - Stephen > --- > Sent from my Android phone, so random spelling mistakes, random nonsense > words and other nonsense are a direct result of using swype to type on the > screen > On 30 Jun 2011 20:20, "Nate McCall" <n...@datastax.com> wrote: > > The CQL drivers are all still sitting on top of the execute_cql_query > > Thrift API method for now. > > > > On Wed, Jun 29, 2011 at 2:12 PM, <dnalls...@taz.qinetiq.com> wrote: > >> > >> Someone asked a while ago whether Cassandra was vulnerable to injection > attacks: > >> > >> > http://stackoverflow.com/questions/5998838/nosql-injection-php-phpcassa-cassandra > >> > >> With Thrift, the answer was 'no'. > >> > >> With CQL, presumably the situation is different, at least until prepared > >> statements are possible (CASSANDRA-2475) ? > >> > >> Has there been any discussion on this already that someone could point me > to, > >> please? I couldn't see anything on JIRA (searching for CQL AND injection, > CQL > >> AND security, etc). ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. QinetiQ may monitor email traffic data and also the content of email for the purposes of security. QinetiQ Limited (Registered in England & Wales: Company Number: 3796233) Registered office: Cody Technology Park, Ively Road, Farnborough, Hampshire, GU14 0LX http://www.qinetiq.com.
