Actually, that thread on the Cassandra list is about Cassandra's own query
language (appropriately named Cassandra Query Language or CQL.) GeoServer
uses a different language called Common Query Language.
In GeoServer's implementation, each filter expression is fully parsed into
an abstract syntax tree and then partially or fully converted to native
queries in a database-specific manner - PostGIS can take advantage of SQL
syntax and functions unique to that database, while Shapefiles use a
fallback that fully interprets filters in GeoServer/GeoTools code. As
such, it's not susceptible to traditional SQL injection attacks since the
user input is never directly sent to the underlying database.
I guess it might be possible in theory to perform an injection attack by
some clever escaping - using "' -- DELETE TABLE important_data;" as a
property name. But GeoServer validates that filters reference only
properties that are actually present, so this would not be feasible through
WFS. And CQL does not support comments, further complicating any potential
injection attacks.
There is a vulnerability to SQL injections when using GeoServer SQL views -
but these are not included in the default confiugration, and GeoServer
allows (and recommends!) that you provide regular expressions tightly
constraining view parameters to known-good values when using them. See
http://docs.geoserver.org/stable/en/user/data/sqlview.html#creating-a-parametric-sql-viewfor
more information.
--
David Winslow
OpenGeo - http://opengeo.org/
On Wed, May 23, 2012 at 2:13 PM, cheesybiscuits
<[email protected]>wrote:
> In a recent demo a developer in my company saw that we were using CQL
> filters
> in GeoServer, and saw how similar the syntax is to SQL, then started
> worrying about SQL / CQL injection. I assured him that as CQL filters are
> exposed by default I would be very surprised if this was even possible
> within CQL capabilites.
>
> I found a thread
> http://www.mail-archive.com/[email protected]/msg14829.html here
> that raises the issue but I don't fully understand the dialogue and it
> seems
> to suggest that the application which translates CQL to SQL has a
> responsibility to sanitize user input.
>
> I couldn't find any GeoServer documentation on the subject, so is it
> possible for a malicious user to perform a CQL injection attack through
> GeoServer?
>
> --
> View this message in context:
> http://osgeo-org.1560.n6.nabble.com/CQL-injection-is-it-even-possible-tp4976463.html
> Sent from the GeoServer - User mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Geoserver-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
