search

vaticle / typedb-driver

TypeDB Drivers for Rust, Python, Java, Node.js, C, C++, and C#.
https://typedb.com
Apache License 2.0
32 stars 32 forks source link

Parameterized Queries to Prevent Injection Attacks #473

Open thomaschristopherking opened 1 year ago

thomaschristopherking commented 1 year ago

Problem to Solve

In Python submitting a query using an f-string is susceptible to an injection attack. For example the query f'match $p isa person, has first_name "{first_name}";' could become something dangerous if first_name is user input. N.b., Injection Attacks are third in the most recent OWASP top-ten list of security concerns - https://owasp.org/www-project-top-ten/

Current Workaround

Sanitising the input of every paramater that might go into an f-string. This is not flawless, however.

Proposed Solution

Many SQL and similar clients allow you to pass in the query paramters separately, so that the paramaters are inserted into the database as data instead of being interpreted as data or TypeDB syntax.

It could look something like this.

tx.query().match(f'match $p isa person, has first_name #first_name;', first_name='Thomas')

Where an attempted attack such as this one would just cause the persistence of plain text.

tx.query().match(f'match $p isa person, has first_name #first_name;', first_name='delete $p;')

jamesreprise commented 1 year ago

Also see:

sanmai-NL commented 1 year ago

I prefer to construct typed and validated queries using a builder pattern or algebraic datatype, rather than string validations. The latter does help with syntax highlighting, but only if well-standardized and implemented. The former is more expressive and also allows to concisely construct queries using arbitrary logic.