hbase-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Pepersack <...@pepersack.net>
Subject Re: [HBase] are column qualifiers safe as user inputed values?
Date Fri, 03 Oct 2014 16:06:18 GMT

I am not aware of anything within HBase itself that would be affected by 
malicious character strings, although there is a significant probability 
that an unpublicized vulnerability exists.

However, you have to consider which API you are using as well:  in the 
Thrift API the Key, Qualifier, and Value are defined as Text, whereas 
the Java API uses arbitrary byte arrays.   This creates the potential 
for bugs (including security bugs) when you are using both APIs.    For 
instance, Unicode conversion has been used as an attack vector.

However, even if HBase itself has no issues, keep in mind that it does 
not exist in a vacuum and there will be other components in the solution 
stack that may be vulnerable.   HBase will happily store and serve up a 
piece of malicious Javascript labeled as "FavoritePet".   The entire 
application is only as secure as the weakest link.

Bottom line: User-supplied values must ALWAYS be checked and sanitized 
and can NEVER be blindly trusted.   Just because your application isn't 
vulnerable to a specific attack vector (like SQL injection, cross site 
scripting, or shell escape attacks) doesn't mean that an application 
which consumes data from your system is going to share that immunity.   
Practice defense in depth.

On 9/30/2014 5:19 PM, Ted wrote:
> Hi I'm wondering if it's safe to use user inputed values as column qualifiers.
> I realised there maybe a sensible size limit, but that's easily checked.
> The scenario is if you wanted to store simple key/value pairs into
> column/values like perhaps some ones preferences like :
> FavouriteColour=Red
> FavouritePet=Cat
> where the user may get to choose both the key and value.
> Basically the concern is special characters and or special parsing of
> the column names, as an example the column names are allegedly =
> <family_name> : <column_qualifier>
> so what happens if people put more colons in the qualifier and or
> escape characters like backspace or other control characters etc? Is
> there any danger or is it all just uninterpreted bytes values after
> the first colon?
> thanks

View raw message