4

I'm using Korma behind a RESTful API, and it occurs to me that I'm passing user-submitted values through to my (insert)calls. Is there a nice way in Clojure to protect against SQL injection attacks? Korma generates SQL in a pretty straightforward way, so if somebody told me their name was little Bobby Tables, I'm fearful that it would hurt.

Conan
  • 2,288
  • 1
  • 28
  • 42
  • Korma does indeed generate SQL in a rather straightforward way -- but if you look at the generated queries, you'll see the data _after_ the query contents, rather than embedded within them. Korma is at least moderately awful (for its unnecessary overuse of macros making runtime composition more complex than it needs to be), but it's not in my experience the security-impacting kind of awful. – Charles Duffy Aug 04 '14 at 22:54
  • 1
    By the way -- I actually, with my security hat on, think that XKCD #327 teaches _absolutely_ the wrong message: Sanitizing your inputs is the wrong way to go; if you segregate code and data successfully, _there should be no need to sanitize the inputs_, because there should be no possible way for data, however malicious, to be interpreted as code. (Yes, this means that content read back _out_ from a database needs to treated as just as potentially-malicious as it was on its way in... but the same rule applies there too). – Charles Duffy Aug 04 '14 at 22:55

1 Answers1

6

It's my understanding that Korma always generates parameterized SQL, at least for select and insert (I have not personally tested the others) so Little Baby Tables should be fine.

Carefully scrutinize how these values are being returned from the database. Sanitizing DB input does nothing to protect from CSRF/XSS, etc. When working with Clojure and DB <--> web interactions I use the rule that All system components must encode the data in a way that is safe for the next server in the chain, and logical constraints (like max search size) are checked upfront in ring-middleware.

Security is a cat/mouse arms race and there is no substitute for testing these things. Go ahead and put Little Baby Tables into every query and try all the combinations of encoding and multiple encoding you can think of. Demonstrating exploits can sometimes be a rather effective way to help coworkers learn to spot these things (just don't be a jerk about it)

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Arthur Ulfeldt
  • 90,827
  • 27
  • 201
  • 284
  • To be fair -- there exist JDBC libraries that don't actually support parameterized queries at the wire protocol level. They're evil and should never be used, but point being that one can have content going over the wire without data being sent out-of-band from code without it strictly being the fault of anything above the JDBC driver itself. – Charles Duffy Aug 04 '14 at 22:51
  • Good point, I'll add a task to check stuff on the way out of the db too! – Conan Aug 05 '14 at 15:43