Open d4h0 opened 2 years ago
Shylock-Hg
commented
2 years ago Hello, we have the bind parameters now. All constants in query could be replaced by parameters. So user input content will be checked by type system. This will prevent injection attacks.
d4h0
commented
2 years ago Hi @Shylock-Hg, thanks for the fast response, this sounds fantastic!
Could you please point me to the documentation for these bind parameters?
Before I opened this issue I tried to find any information about prepared statements and bind parameters via Google, but I couldn't find anything.
For example, how would I use bind parameters with nebula-http-gateway or nebula-node?
I'm actually building an application that checks other applications if they are vulnerable to injection attacks (and other kinds of attacks). So it would be silly if my own app is vulnerable to injection attacks... ;)
Shylock-Hg
commented
2 years ago You could check example https://github.com/vesoft-inc/nebula-java/blob/ad4463b6bec34f654c4cd09c7c7a1831d3621061/examples/src/main/java/com/vesoft/nebula/examples/GraphClientExample.java#L153 in nebula-java and also in other clients.
d4h0
commented
2 years ago Thank you, @Shylock-Hg.
My recommendation is, to add a page with security information to the Nebula docs (similar to what I've linked above on the websites of ArangoDB and Neo4j), and also to document how to avoid injection attacks for every available client (for example, I can't see anything within the docs of nebula-http-gateway or nebula-node that indicates how to avoid injection attacks).
This has at least two benefits:
1) You educate people who don't know about injection attacks (and therefore reduce the risk that companies get hacked via Nebula, which could result in bad press for Nebula)
2) You don't lose the trust of people who do know about injection attacks (I'm pretty sure, of these peoples, at least in the west, most wouldn't use a database that doesn't help to prevent injection attacks, or a database that doesn't care enough about security to be very clear about how to avoid security vulnerabilities).
Ideally, these pages would be easy to find via search engines (so they should contain phrases like "parameter injection", "injection attack", "SQL injection", "prepared statements", "bind parameter").
I'm pretty sure, this all would help Nebula to be more successful (because otherwise, Nebula looks great).
Shylock-Hg
commented
2 years ago Thank you, @Shylock-Hg.
My recommendation is, to add a page with security information to the Nebula docs (similar to what I've linked above on the websites of ArangoDB and Neo4j), and also to document how to avoid injection attacks for every available client (for example, I can't see anything within the docs of nebula-http-gateway or nebula-node that indicates how to avoid injection attacks).
This has at least two benefits:
- You educate people who don't know about injection attacks (and therefore reduce the risk that companies get hacked via Nebula, which could result in bad press for Nebula)
- You don't lose the trust of people who do know about injection attacks (I'm pretty sure, of these peoples, at least in the west, most wouldn't use a database that doesn't help to prevent injection attacks, or a database that doesn't care enough about security to be very clear about how to avoid security vulnerabilities).
Ideally, these pages would be easy to find via search engines (so they should contain phrases like "parameter injection", "injection attack", "SQL injection", "prepared statements", "bind parameter").
I'm pretty sure, this all would help Nebula to be more successful (because otherwise, Nebula looks great).
Good point. @randomJoe211 Please check it.
wey-gu
commented
2 years ago Thanks a lot @d4h0, this is gold to the community.
Hi,
Is your feature request related to a problem? Please describe.
Yes, it's related to the security of nebula graph databases.
As far as I can see, there isn't anything in Nebula that helps to prevent injection attacks.
Injection attacks are basically attacks, where user input contains malicious content. If this malicious content is embedded in queries without escaping it, hackers can do unwanted things (like reading all data from the database, or executing code on the database server).
Here is a page from the documentation of ArangoDB (which also is a graph database) that explains the vulnerability and possible solutions further:
https://www.arangodb.com/docs/stable/aql/common-errors.html#parameter-injection-vulnerability
Here is a similar page from Neo4j:
https://neo4j.com/developer/kb/protecting-against-cypher-injection/
Currently, there doesn't seem to be anything in Nebula that helps to prevent this kind of attack – which would be insane, to be completely honest.
Right now, every Nebula user needs to create their own injection attack prevention functionality, which is very hard and error-prone (therefore it's very important, that the database offers this functionality).
Describe the solution you'd like
A common way to prevent injection attacks, are prepared statements with bind parameters (see any SQL database in wide use, or the ArangoDB and Neo4j links above)
Describe alternatives you've considered
Like I wrote, the alternative is to hand-roll my own solution – which is very hard and error-prone.
Additional context
I strongly believe this functionality should be added as soon as possible. Without this I can't even consider Nebula (which otherwise looks fantastic), and I'm sure many other people think the same (as an example, see this and the next comment, which basically say exactly this).