Does Kundera Cassandra EntityManager API use Cassandra PreparedStatement?

[yulingchen54]

Hi All,

We would like to use Cassandra PreparedStatement via Kundera. However, I'm not sure if Kundera entityManager API uses PreparedStatement internally?

entityManager.find(entityClass, primaryKey)
Query query = entityManager.createNativeQuery(nativeQuery,entityClass);

The reason for us to use PreparedStatement is to avoid SQLInjection. How Kundera guarantee that it is not vulnerable to SQL Injection?

Thanks, YuLing

[karthikprasad13]

Hi @yulingchen54,

Kundera does not use PreparedStatement to execute queries. CQL itself has some features which prevent injection. Features like:

• each CQL query must contain exactly one statement
• as a rule of thumb, there are also no statement types that contain other statements, which would be another common vector for an injection

You can write a custom function on query to check for other validations for injections that you think are possible in your application.

-Karthik

[yulingch]

Thanks Karthik for the quick reply.

I did see the nativeQuery and other types of query support parameters settings. Would that be equivalent to the PreparedStatement variable binding? Now we observe that if we pass a single quote encased value in where clause, query will fail. If we use the parameter options in the nativeQuery, would that fix the issue?

Thanks, YuLing

[yulingch]

B.T.W. Karthik, could it be possible for Kundera to support PreparedStatement provided from CQL down the road? PreparedStatement is recommended as the first defense solution to SQL injection from owasp:https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Thanks, YuLing

[karthikprasad13]

@yulingch

We don't have it in our road map as of now. we can think about it in future releases.

-Karthik