are column qualifiers safe as user inputed values?

[Ted <r6...@gmail.com>]

Hi I'm wondering if it's safe to use user inputed values as column qualifiers.

I realised there maybe a sensible size limit, but that's easily checked.

The scenario is if you wanted to store simple key/value pairs into
column/values like perhaps some ones preferences like :

FavouriteColour=Red
FavouritePet=Cat

where the user may get to choose both the key and value.

Basically the concern is special characters and or special parsing of
the column names, as an example the column names are allegedly =
<family_name> : <column_qualifier>

so what happens if people put more colons in the qualifier and or
escape characters like backspace or other control characters etc? Is
there any danger or is it all just uninterpreted bytes values after
the first colon?

thanks
-- 
Ted.

Re: [HBase] are column qualifiers safe as user inputed values?

[Joe Pepersack <jo...@pepersack.net>]

Ted,

I am not aware of anything within HBase itself that would be affected by 
malicious character strings, although there is a significant probability 
that an unpublicized vulnerability exists.

However, you have to consider which API you are using as well:  in the 
Thrift API the Key, Qualifier, and Value are defined as Text, whereas 
the Java API uses arbitrary byte arrays.   This creates the potential 
for bugs (including security bugs) when you are using both APIs.    For 
instance, Unicode conversion has been used as an attack vector.

However, even if HBase itself has no issues, keep in mind that it does 
not exist in a vacuum and there will be other components in the solution 
stack that may be vulnerable.   HBase will happily store and serve up a 
piece of malicious Javascript labeled as "FavoritePet".   The entire 
application is only as secure as the weakest link.

Bottom line: User-supplied values must ALWAYS be checked and sanitized 
and can NEVER be blindly trusted.   Just because your application isn't 
vulnerable to a specific attack vector (like SQL injection, cross site 
scripting, or shell escape attacks) doesn't mean that an application 
which consumes data from your system is going to share that immunity.   
Practice defense in depth.

On 9/30/2014 5:19 PM, Ted wrote:
> Hi I'm wondering if it's safe to use user inputed values as column qualifiers.
>
> I realised there maybe a sensible size limit, but that's easily checked.
>
> The scenario is if you wanted to store simple key/value pairs into
> column/values like perhaps some ones preferences like :
>
> FavouriteColour=Red
> FavouritePet=Cat
>
> where the user may get to choose both the key and value.
>
> Basically the concern is special characters and or special parsing of
> the column names, as an example the column names are allegedly =
> <family_name> : <column_qualifier>
>
> so what happens if people put more colons in the qualifier and or
> escape characters like backspace or other control characters etc? Is
> there any danger or is it all just uninterpreted bytes values after
> the first colon?
>
> thanks

Re: are column qualifiers safe as user inputed values?

[Jean-Marc Spaggiari <je...@spaggiari.org>]

Hi Ted,

there is nothing like sql-injection-like hacks into HBase. It's all byte
arrays and nosql. So from that perspective, yes, you are safe to use user
inputed values as the column qualifiers.

2014-10-01 12:15 GMT-04:00 Ted <r6...@gmail.com>:

> ok so it sounds like it's safe :)
>
> I'm not parsing it at all, that's my point, I'm taking what ever the
> user types and doing a Bytes.toBytes(s); on it and using it as the
> column qualifier. I was more or less wondering if there were control
> characters that could lead to anomalies or sql-injection-like hacks.
> It sounds like the answer is "no".
>
> Thanks.
>
> On 9/30/14, Nick Dimiduk <nd...@gmail.com> wrote:
> > This depends more on your parsing code than on HBase. All values are
> > converted into byte[]'s for HBase. Once your code has parsed the user
> input
> > and generated the byte[], there's no place for ambiguity on the HBase
> side.
> >
> > On Tue, Sep 30, 2014 at 5:19 PM, Ted <r6...@gmail.com> wrote:
> >
> >> Hi I'm wondering if it's safe to use user inputed values as column
> >> qualifiers.
> >>
> >> I realised there maybe a sensible size limit, but that's easily checked.
> >>
> >> The scenario is if you wanted to store simple key/value pairs into
> >> column/values like perhaps some ones preferences like :
> >>
> >> FavouriteColour=Red
> >> FavouritePet=Cat
> >>
> >> where the user may get to choose both the key and value.
> >>
> >> Basically the concern is special characters and or special parsing of
> >> the column names, as an example the column names are allegedly =
> >> <family_name> : <column_qualifier>
> >>
> >> so what happens if people put more colons in the qualifier and or
> >> escape characters like backspace or other control characters etc? Is
> >> there any danger or is it all just uninterpreted bytes values after
> >> the first colon?
> >>
> >> thanks
> >> --
> >> Ted.
> >>
> >
>
>
> --
> Ted.
>

Re: are column qualifiers safe as user inputed values?

[Ted <r6...@gmail.com>]

ok so it sounds like it's safe :)

I'm not parsing it at all, that's my point, I'm taking what ever the
user types and doing a Bytes.toBytes(s); on it and using it as the
column qualifier. I was more or less wondering if there were control
characters that could lead to anomalies or sql-injection-like hacks.
It sounds like the answer is "no".

Thanks.

On 9/30/14, Nick Dimiduk <nd...@gmail.com> wrote:
> This depends more on your parsing code than on HBase. All values are
> converted into byte[]'s for HBase. Once your code has parsed the user input
> and generated the byte[], there's no place for ambiguity on the HBase side.
>
> On Tue, Sep 30, 2014 at 5:19 PM, Ted <r6...@gmail.com> wrote:
>
>> Hi I'm wondering if it's safe to use user inputed values as column
>> qualifiers.
>>
>> I realised there maybe a sensible size limit, but that's easily checked.
>>
>> The scenario is if you wanted to store simple key/value pairs into
>> column/values like perhaps some ones preferences like :
>>
>> FavouriteColour=Red
>> FavouritePet=Cat
>>
>> where the user may get to choose both the key and value.
>>
>> Basically the concern is special characters and or special parsing of
>> the column names, as an example the column names are allegedly =
>> <family_name> : <column_qualifier>
>>
>> so what happens if people put more colons in the qualifier and or
>> escape characters like backspace or other control characters etc? Is
>> there any danger or is it all just uninterpreted bytes values after
>> the first colon?
>>
>> thanks
>> --
>> Ted.
>>
>


-- 
Ted.

Re: are column qualifiers safe as user inputed values?

[Nick Dimiduk <nd...@gmail.com>]

This depends more on your parsing code than on HBase. All values are
converted into byte[]'s for HBase. Once your code has parsed the user input
and generated the byte[], there's no place for ambiguity on the HBase side.

On Tue, Sep 30, 2014 at 5:19 PM, Ted <r6...@gmail.com> wrote:

> Hi I'm wondering if it's safe to use user inputed values as column
> qualifiers.
>
> I realised there maybe a sensible size limit, but that's easily checked.
>
> The scenario is if you wanted to store simple key/value pairs into
> column/values like perhaps some ones preferences like :
>
> FavouriteColour=Red
> FavouritePet=Cat
>
> where the user may get to choose both the key and value.
>
> Basically the concern is special characters and or special parsing of
> the column names, as an example the column names are allegedly =
> <family_name> : <column_qualifier>
>
> so what happens if people put more colons in the qualifier and or
> escape characters like backspace or other control characters etc? Is
> there any danger or is it all just uninterpreted bytes values after
> the first colon?
>
> thanks
> --
> Ted.
>