Ruby should "do the right thing" and escape your content appropriately,
that is, if you have a Ruby hash of:
{'test' => 'yes", "injection": "oops!"'}
JSON.dump will give you:
{"test":"yes\", \"injection\": \"oops!\""}
J. Austin Hughey writes:
> Thank you very much for the explanation, Jason. My example attack was
> probably a bit “off”, but the basic use case I’m thinking of is an API. Say I
> have an API that accepts JSON. The user has “spoofed” the JSON input to the
> API, possibly setting an “admin” flag or something (doesn’t matter what,
> specifically, just an example of how a property may be set). Assuming no
> other business logic validation (which of course I DEFINITELY plan to
> implement), I was simply curious if, when sending info directly to Riak as
> JSON, if the client did anything to sanitize input from injection.
>
> Think SQL injection, but JSON instead. Data is data, representation
> implementation differs, but the same concerns apply. I’m just trying to see
> what I need to do to prevent that injection-style attack from happening.
>
> Sounds like, based on your response (thanks again, by the way!), I need to
> validate the Ruby object after it’s created and ensure no invalid attributes
> or values exist, prior to its being sent to Riak.
>
> Any additional thoughts on other security concerns I should have here? I’m
> new to “NoSQL” and I like Riak due to its operational model, so I’d like to
> use it more often. I just need to know what I’m doing before I put an app out
> into the wild!
>
> Thanks again.
--
Kyle Marek-Spartz
_______________________________________________
riak-users mailing list
[email protected]
http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
