riak search java client - sql injection

Jason W jason.w.prog at gmail.com
Mon Mar 23 15:34:45 EDT 2015


Thanks. Looks like it is in the Solr ClientUtils.java class.  Now need to
decide whether to import solr into client code or dup the function.

Jason


On Mon, Mar 23, 2015 at 2:59 PM, Alexander Sicular <siculars at gmail.com>
wrote:

> I'll second what Chris said. Afaik, Solr does not solve this problem for
> you. Riak won't either. I just googled for "sanitize solr query inputs in
> java" and there are quite a few hits. I'd use that as a starting point but
> I'm a bit surprised there isn't a lib somewhere that makes this a non
> problem...
>
> -Alexander
>
>
> @siculars
> http://siculars.posthaven.com
>
> Sent from my iRotaryPhone
>
> On Mar 23, 2015, at 13:43, Jason W <jason.w.prog at gmail.com> wrote:
>
> Thanks Chris.  I meant the query injection.  Was really looking for an api
> that takes parametrized query in risk java client, do you know whether solr
> provides that?  It would not be a easy task to do a 100% secure santize
> function, the above query is really just a simple use case.
>
> Jason
>
> On Mon, Mar 23, 2015 at 1:49 PM, Christopher Meiklejohn <
> cmeiklejohn at basho.com> wrote:
>
>>
>> > On Mar 22, 2015, at 7:03 PM, Jason W <jason.w.prog at gmail.com> wrote:
>> >
>> > Hello,
>> >
>> > I try to use the riak search java client, specifically the
>> Search.Builder class, like the following
>> >
>> > Search search = new Search.Builder("test", "_yz_rb:accounts AND email:"
>> + [user-email]).
>> >
>> >
>> >
>> > "[user-email]" is what user entered in the login form, my question is
>> about sql injection, it seems like the java search client api doesn't
>> prevent sql injection, are there any other api/methods that I can use to
>> prevent this?  Thank you
>>
>> Hello Jason,
>>
>> Search is not SQL; queries are specified in the Solr [1] query syntax so
>> they’re not vulnerable to a SQL injection attack, given the basis of a SQL
>> injection attack is to end a query and start a new one using unvalidated
>> syntax.  While it’s not directly the same thing, in the same class of
>> attacks it’s possible for a user to add additional criteria to the query
>> given the way you’ve written your search query.  I highly recommend you
>> sanitize your inputs before passing them to the query builder.
>>
>> - Chris
>>
>> [1] https://wiki.apache.org/solr/SolrQuerySyntax
>>
>> Christopher Meiklejohn
>> Senior Software Engineer
>> Basho Technologies, Inc.
>> cmeiklejohn at basho.com
>
>
> _______________________________________________
> riak-users mailing list
> riak-users at lists.basho.com
> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20150323/f805708d/attachment-0002.html>


More information about the riak-users mailing list