Do developers need to sanitize JSON input before sending to Riak Client?

Kyle Marek-Spartz kyle.marek.spartz at gmail.com
Fri Dec 12 10:28:11 EST 2014


Ruby should "do the right thing" and escape your content appropriately,
that is, if you have a Ruby hash of:

{'test' => 'yes", "injection": "oops!"'}

JSON.dump will give you:

{"test":"yes\", \"injection\": \"oops!\""}


J. Austin Hughey writes:

> Thank you very much for the explanation, Jason. My example attack was probably a bit “off”, but the basic use case I’m thinking of is an API. Say I have an API that accepts JSON. The user has “spoofed” the JSON input to the API, possibly setting an “admin” flag or something (doesn’t matter what, specifically, just an example of how a property may be set). Assuming no other business logic validation (which of course I DEFINITELY plan to implement), I was simply curious if, when sending info directly to Riak as JSON, if the client did anything to sanitize input from injection.
>
> Think SQL injection, but JSON instead. Data is data, representation implementation differs, but the same concerns apply. I’m just trying to see what I need to do to prevent that injection-style attack from happening.
>
> Sounds like, based on your response (thanks again, by the way!), I need to validate the Ruby object after it’s created and ensure no invalid attributes or values exist, prior to its being sent to Riak.
>
> Any additional thoughts on other security concerns I should have here? I’m new to “NoSQL” and I like Riak due to its operational model, so I’d like to use it more often. I just need to know what I’m doing before I put an app out into the wild!
>
> Thanks again.

--
Kyle Marek-Spartz




More information about the riak-users mailing list