Do developers need to sanitize JSON input before sending to Riak Client?

J. Austin Hughey jaustinhughey at gmail.com
Fri Dec 12 09:04:18 EST 2014


Thank you very much for the explanation, Jason. My example attack was probably a bit “off”, but the basic use case I’m thinking of is an API. Say I have an API that accepts JSON. The user has “spoofed” the JSON input to the API, possibly setting an “admin” flag or something (doesn’t matter what, specifically, just an example of how a property may be set). Assuming no other business logic validation (which of course I DEFINITELY plan to implement), I was simply curious if, when sending info directly to Riak as JSON, if the client did anything to sanitize input from injection.

Think SQL injection, but JSON instead. Data is data, representation implementation differs, but the same concerns apply. I’m just trying to see what I need to do to prevent that injection-style attack from happening.

Sounds like, based on your response (thanks again, by the way!), I need to validate the Ruby object after it’s created and ensure no invalid attributes or values exist, prior to its being sent to Riak.

Any additional thoughts on other security concerns I should have here? I’m new to “NoSQL” and I like Riak due to its operational model, so I’d like to use it more often. I just need to know what I’m doing before I put an app out into the wild!

Thanks again.

--  
J. Austin Hughey

On December 12, 2014 at 7:18:36 AM, Jason Campbell (xiaclo at xiaclo.net(mailto:xiaclo at xiaclo.net)) wrote:

> Riak is binary storage, if there is an injection attack, it will be done against the Ruby portion, not against Riak.
>  
> The example you listed gives a ParserError when trying to load it via JSON, so I don’t understand how it could even get far enough in your code to reach Riak, unless you are not validating user input at all and just storing it in Riak. There is nothing wrong with that, but then anything coming out of Riak should be considered untrusted and handled accordingly.
>  
> A typical workflow would be something like this:
> 1. Load user input (a string) as JSON. This will provide a Ruby object representing the JSON
> 2. Validate / business logic / whatever you want
> 3. Save the Ruby object (or a changed one) in Riak via the client
> 4. The Ruby client will convert it to JSON and store the JSON in Riak
> 5. On the next request, the Ruby client will load the JSON from Riak and convert it back to a Ruby object
>  
> So an “injection” object will either fail 1 (like this one) because it’s invalid and doesn’t parse or it will fail 2 because you aren’t letting users set the admin flag without permission (right?). I’m not sure how to get to step 3 without a seriously flawed JSON library or not checking obvious things.
>  
> Regardless though, the injection attack isn’t hidden at any point. If it parses, it will be a Ruby object with all the properties in plain sight, right up until you save it into Riak.
>  
> If I misunderstood, I’m sorry. If so, can you clarify what assumption was wrong?
>  
> Hopefully this helps a bit,
> Jason
>  
> > On 12 Dec 2014, at 22:30, J. Austin Hughey wrote:
> >
> >
> > Hi,
> >
> > I’m fairly new to Riak, and I haven’t seen a clear answer to this question through Google, so I’m going to ask the list here.
> >
> > Do I need to sanitize user input BEFORE sending to the Riak client, or does the client handle sanitization? (I plan to use the Ruby client, but I may want to use a different language client later on too depending on the project.)
> >
> > I can see the potential for injection here being a real issue:
> >
> > {
> > “username”:”bob”,
> > “password_hash”:”abc123xyz\””,”admin”:”true"
> > }
> >
> > …or something like that. You get the idea. I’m just trying to get it right before I start building something that’s just begging to get owned.
> >
> > Thanks.
> >
> > --
> > J. Austin Hughey
> >
> >
> > _______________________________________________
> > riak-users mailing list
> > riak-users at lists.basho.com
> > http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>  





More information about the riak-users mailing list