I'm trying to think quickly about malicious ways to use CQL injection:

(1) As I understand, CQL is query-only, there is no way to make a CQL query that causes an update to the system. Is that true? No sneaky way to slip in an update? If that is true, good, one concern is addressed.

(2) What about reading sensitive information? Could one use injection to retrieve information that should be protected, like user addresses or purchase prices (which are sometimes confidential by contract, especially for large packages of electronic resources)? The injection examples make it seem like one could request any data in a module where one has read privileges. This is probably my main concern.

(3) Could CQL injection be crafted simply to consume inordinate resources, slow the system, or take a module down? 

I do think we want to close that injection hole, but for prioritizing I'm trying to focus on potential malicious uses. (2) above makes me a bit nervous for reasons of privacy and contractual obligation.

-Tod

On Jan 29, 2020, at 11:34 AM, Mike Gorrell <mdg@indexdata.com> wrote:

This was raised at the end of today's TC call - a Texas A&M dev has identified an issue that they thought should be raised to the Security Group - which doesn't exist yet.

The Tech Council is the closest thing we have to that security group at this time. I would like to ask this group to weigh in on this issue:


And comment on the issue as a potential security concern as well as how urgently we might want to address it.

Please correspond in email. Feel free to invite others who aren't officially on the TC to be part of this email thread.

Thanks.

-mdg

To unsubscribe from this list please go to http://www.simplelists.com/confirm.php?u=GzifSquIJCjuDCxXBWbjN0P4Uc6E51Jd