CQL injection in `Connection.cql()` about helenus HOT 8 CLOSED

Just to add some references, here's the node-cassandra-client-way: https://github.com/racker/node-cassandra-client/blob/master/lib/driver.js#L59-109 (could be done nicer IMO)
And here's some example from node-mysql: https://github.com/felixge/node-mysql/blob/master/lib/client.js#L145-199

Anyhow I really like the ?-placeholder-style and I've seen it in many places when dealing with SQL-like database-queries (which CQL tries to mimic).

from helenus.

Looks like single quotes have to be escaped by another single quote, see https://issues.apache.org/jira/browse/CASSANDRA-2993

At least we're not in danger of really dangerous CQL injections: http://www.mail-archive.com/[email protected]/msg14907.html

from helenus.

I'll be pushing out a fix to address the vulnerability. I'll escape the single quote as that is all the official driver is doing. As for the ? placeholder way, I see how people can want this, I also see how people would want to use the NodeJS way of doing it. I think I'll have ? be synonymous with %s. That should allow for use either way.

from helenus.

just fyi, all of this was published under version 0.3.3. including the ability to use a ? placeholder in cql.

from helenus.

Looks like this fix is in JS file. Can we do it at server code?

from helenus.

I'm not sure what you mean?

from helenus.

Any security fix at client side javascript can be easily bypaased. It would be good if we have this fix on the server side code.

from helenus.

This is for node.js, not client side JavaScript.

from helenus.