[jira] [Commented] (TINKERPOP-2190) Document Gremlin sanitization best practices

Tue, 14 May 2019 03:05:04 -0700 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2190?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16839283#comment-16839283
 ] 

Florian Hockmann commented on TINKERPOP-2190:
---------------------------------------------

Thanks a lot for taking care of this, [~spmallette], but isn't the 2nd listing 
in the added docs wrong as it still not uses the parameters for the query? The 
query is built like this:
{code:java}
String lbl = "person"
String nodeId = "mary').next();g.V().drop().iterate();g.V().has('id', 'thomas";
String query = g.addV('" + lbl + "').property('identifier','" + nodeId + 
"')";{code}
so the real values of {{lbl}} and {{nodeId}} are used instead of their 
parameter names. Shouldn't the 3rd line be this:
{code:java}
String query = g.addV(lbl).property('identifier',nodeId)";{code}
Apart from that, we could also add a link to this section somewhere in the 
Gremlin Server security section as that contains all other information relevant 
for security of Gremlin Server.

> Document Gremlin sanitization best practices
> --------------------------------------------
>
>                 Key: TINKERPOP-2190
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2190
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: documentation
>    Affects Versions: 3.3.6, 3.4.1
>            Reporter: Florian Hockmann
>            Assignee: stephen mallette
>            Priority: Minor
>             Fix For: 3.4.2
>
>
> We already have docs on how to prevent arbitrary code execution through the 
> script engine, but nothing yet about injections in Gremlin, basically the 
> equivalent of SQL injections.
>  I wrote [a post on Stack 
> Overflow|https://stackoverflow.com/questions/44473303/how-to-prevent-gremlin-injection-in-c/44538936#44538936]
>  on this topic which we can use as a basis here.
>  Possible topics include:
>  * Difference between GLVs and Gremlin scripts
>  * Demonstrate when and how injections can occur
>  * How to prevent injections
> This could either be added as an [implementation 
> recipe|http://tinkerpop.apache.org/docs/current/recipes/#_implementation_recipes]
>  or as a sub section for [Gremlin Server 
> security|http://tinkerpop.apache.org/docs/current/reference/#security].



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to