Created
May 20, 2011 20:14
-
-
Save PharkMillups/983702 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 3:31 <dambalah> is riak susceptible to some kind of 'injection attack'? | |
| If so, what's an example and what do application developers | |
| need to do to prevent these? | |
| 13:31 <aphyr> No. Yes. | |
| 13:32 <dambalah> haha... best answer ever. | |
| 13:32 <aphyr> Basically, it's vulnerable to injection attacks in | |
| the same sense that any protocol written by software which violates | |
| layer boundaries is. | |
| 13:33 <aphyr> The protocol itself is fairly hard to fuck up, same as mysql. | |
| 13:33 <aphyr> The problem would lie in your client. | |
| 13:33 <aphyr> For example, if you chose to do something like write a mapreduce | |
| query in which you inserted an unescaped string... | |
| 13:33 <aphyr> That string could execute as code and produce unexpected results. | |
| 13:34 <aphyr> That's somewhat isomorphic to an SQL injection attack. | |
| 13:34 <dambalah> makes sense | |
| 13:34 <aphyr> And if your client fails to escape strings correctly, | |
| that can cause issues to. | |
| 13:35 <aphyr> i.e., if the client library constructs HTTP URIs without | |
| escaping the key or bucket... | |
| 13:35 <Vagabond> yeah, the code in a M/R you'd need to be careful about | |
| 13:36 <aphyr> There's a pretty easy way to prevent | |
| that: pass user-supplied data as an argument to the MR function | |
| instead of embedding it in the source. | |
| 13:38 <dambalah> thanks | |
| 13:39 <aphyr> Really, the answer is: don't shoot yourself in the | |
| foot and you'll be fine. | |
| 13:39 <Vagabond> an attacker would have to work a lot harder to do | |
| something like a SQL injection attack | |
| 13:39 <aphyr> The whole genre of SQL injection attacks came about because | |
| millions of PHP programmers thought it was perfectly OK to do things like | |
| "select * from users where user_id = $user" | |
| 13:40 <Vagabond> well, SQL makes it easy to do | |
| 13:40 <aphyr> Not if you use a proper library. | |
| 13:40 <Vagabond> its not just PHP programmers that do it like that | |
| 13:40 <aphyr> I don't think I've ever used an SQL interface in any | |
| language that didn't know how to do parameterized string substitution. | |
| 13:41 <Vagabond> sure, but its 'harder' | |
| 13:41 <aphyr> Oh, right, haha yeah I forgot. | |
| 13:41 <* aphyr> goes back to sequel, the impossible-to-use toolkit. :) | |
| 13:41 <Vagabond> personally, I use parameterized queries too | |
| 13:42 <Vagabond> but lots of people don't even know they exist |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment