Do developers need to sanitize JSON input before sending to Riak Client?

Jason Campbell xiaclo at xiaclo.net
Fri Dec 12 18:24:02 EST 2014


Exactly, SQL injection happens because people construct SQL statements themselves and aren’t aware of correct escaping edge cases.  Use a library to convert between Ruby and JSON, and you’ll be fine on that front.  The same applies to SQL really.  SQL injection is impossible if you pass Ruby objects directly into an SQL library and let it escape them.

Security as a topic is much too large to cover in a mailing list, but the same principle applies.  Use proven libraries, and don’t try to do too much security yourself.  It’s hard, and you will most likely get it wrong.  Especially crypto.

Specific to Riak though, ensure you lock it down.  It applies to any database really, but if you can, remove any direct internet access from the boxes, firewall every port you can.  If you are using protocol buffers, you can disable HTTP access as well, it makes it a bit harder for an attacker.  Run Riak on a non-standard port, firewall communication between the Riak nodes.  Riak can also use a TLS certificate to encrypt handoff traffic which can prevent data interception between Riak nodes.

That is by no means a complete list, but a starting point at least.  Security is a mindset, remove anything you don’t need, because the more tools you give an attacker, the worse things get, even if you think they are harmless.

Hope that helps,
Jason

> On 13 Dec 2014, at 02:28, Kyle Marek-Spartz <kyle.marek.spartz at gmail.com> wrote:
> 
> Ruby should "do the right thing" and escape your content appropriately,
> that is, if you have a Ruby hash of:
> 
> {'test' => 'yes", "injection": "oops!"'}
> 
> JSON.dump will give you:
> 
> {"test":"yes\", \"injection\": \"oops!\""}
> 
> 
> J. Austin Hughey writes:
> 
>> Thank you very much for the explanation, Jason. My example attack was probably a bit “off”, but the basic use case I’m thinking of is an API. Say I have an API that accepts JSON. The user has “spoofed” the JSON input to the API, possibly setting an “admin” flag or something (doesn’t matter what, specifically, just an example of how a property may be set). Assuming no other business logic validation (which of course I DEFINITELY plan to implement), I was simply curious if, when sending info directly to Riak as JSON, if the client did anything to sanitize input from injection.
>> 
>> Think SQL injection, but JSON instead. Data is data, representation implementation differs, but the same concerns apply. I’m just trying to see what I need to do to prevent that injection-style attack from happening.
>> 
>> Sounds like, based on your response (thanks again, by the way!), I need to validate the Ruby object after it’s created and ensure no invalid attributes or values exist, prior to its being sent to Riak.
>> 
>> Any additional thoughts on other security concerns I should have here? I’m new to “NoSQL” and I like Riak due to its operational model, so I’d like to use it more often. I just need to know what I’m doing before I put an app out into the wild!
>> 
>> Thanks again.
> 
> --
> Kyle Marek-Spartz





More information about the riak-users mailing list