Forum Discussion

hattesen's avatar
hattesen
Adept
9 years ago

LiQL injection attacks and quotes in Rest API 2.0

I am sorry if this subject has already been covered, but I have searched forums, knowledge bases and Google for any answers and have come up empty handed.   I am wondering how LiQL is protected aga...
hattesen's avatar
hattesen
Adept
But there needs to be a generic and SAFE way to avoid attacks and syntax errors, regardless of WHERE term content.

I would imagine, that the String builtin jsString might do the job...

<#assign replies = rest("2.0","/search?q=" + "SELECT id, body FROM messages WHERE topic.tag = '${topic_tag?js_string}' AND depth > 0"?url).data.items />

See http://freemarker.org/docs/ref_builtins_string.html#ref_builtin_js_string

However, this is a serious security and stability problem that needs a "best practice" to be defined by the Lithium developers. Believing that something MIGHT be safe, just isn't acceptable in this sort of situation.

FaisalK's avatar
FaisalK
Lithium Alumni (Retired)
9 years ago

I agree in principle, however, this is no different than coding in Java or JS or any other language. Incorporating untrusted user input is never a good idea. And like many of those other languages, it's left up to the developer, freemarker in this case, to incorporate the security best practices (?html, js_string, etc). 

 

This type of customization is not considered a user level task, it should only be attempted by a trained and knowledgeable person like yourself.

  • hattesen's avatar
    hattesen
    Adept
    9 years ago
    When coding Java against a database, you use prepared statements with parameters for this very reason.

    Lithium developers should not be expected to foresee injection attacks and manually escaping strings. At the very least, a "best practice" should be established, and recommendations should be made for using ?ja_string, or whatever is deemed best for escaping quotes and double quotes.