typedb-driver
typedb-driver copied to clipboard
typedb
Parameterized Queries to Prevent Injection Attacks
Problem to Solve
In Python submitting a query using an f-string is susceptible to an injection attack. For example the query f'match $p isa person, has first_name "{first_name}";' could become something dangerous if first_name is user input. N.b., Injection Attacks are third in the most recent OWASP top-ten list of security concerns - https://owasp.org/www-project-top-ten/
Current Workaround
Sanitising the input of every paramater that might go into an f-string. This is not flawless, however.
Proposed Solution
Many SQL and similar clients allow you to pass in the query paramters separately, so that the paramaters are inserted into the database as data instead of being interpreted as data or TypeDB syntax.
It could look something like this.
tx.query().match(f'match $p isa person, has first_name #first_name;', first_name='Thomas')
Where an attempted attack such as this one would just cause the persistence of plain text.
tx.query().match(f'match $p isa person, has first_name #first_name;', first_name='delete $p;')
I prefer to construct typed and validated queries using a builder pattern or algebraic datatype, rather than string validations. The latter does help with syntax highlighting, but only if well-standardized and implemented. The former is more expressive and also allows to concisely construct queries using arbitrary logic.
