Do developers need to sanitize JSON input before sending to Riak Client?

Jason Campbell xiaclo at xiaclo.net
Fri Dec 12 08:18:32 EST 2014


Riak is binary storage, if there is an injection attack, it will be done against the Ruby portion, not against Riak.

The example you listed gives a ParserError when trying to load it via JSON, so I don’t understand how it could even get far enough in your code to reach Riak, unless you are not validating user input at all and just storing it in Riak.  There is nothing wrong with that, but then anything coming out of Riak should be considered untrusted and handled accordingly.

A typical workflow would be something like this:
  1. Load user input (a string) as JSON.  This will provide a Ruby object representing the JSON
  2. Validate / business logic / whatever you want
  3. Save the Ruby object (or a changed one) in Riak via the client
  4. The Ruby client will convert it to JSON and store the JSON in Riak
  5. On the next request, the Ruby client will load the JSON from Riak and convert it back to a Ruby object

So an “injection” object will either fail 1 (like this one) because it’s invalid and doesn’t parse or it will fail 2 because you aren’t letting users set the admin flag without permission (right?).  I’m not sure how to get to step 3 without a seriously flawed JSON library or not checking obvious things.

Regardless though, the injection attack isn’t hidden at any point.  If it parses, it will be a Ruby object with all the properties in plain sight, right up until you save it into Riak.

If I misunderstood, I’m sorry.  If so, can you clarify what assumption was wrong?

Hopefully this helps a bit,
Jason

> On 12 Dec 2014, at 22:30, J. Austin Hughey <jaustinhughey at gmail.com> wrote:
> 
>  
> Hi,
> 
> I’m fairly new to Riak, and I haven’t seen a clear answer to this question through Google, so I’m going to ask the list here.  
> 
> Do I need to sanitize user input BEFORE sending to the Riak client, or does the client handle sanitization? (I plan to use the Ruby client, but I may want to use a different language client later on too depending on the project.)
> 
> I can see the potential for injection here being a real issue:  
> 
> {  
> “username”:”bob”,
> “password_hash”:”abc123xyz\””,”admin”:”true"
> }
> 
> …or something like that. You get the idea. I’m just trying to get it right before I start building something that’s just begging to get owned.
> 
> Thanks.
> 
> --  
> J. Austin Hughey
> 
> 
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com





More information about the riak-users mailing list