Parameterized Gremlin queries
657 views
Skip to first unread message
Nicolai
Feb 3, 2012, 2:13:08 AM2/3/12
to Gremlin-users
Hi,
Started to prototype a new semantic/reasoning application using the
Tinkerpop Graph API's and Gremlin as the query language.
I did not find any good way to do parameterized queries with Gremlin?
Background, is as this might eventually be part of a public facing web
application, I looked at potential for a SQL injection (or rather
Gremlin injection) exploit for this app. With SQL or JPA for that
matter today, in Java this is hardly an issue (if you are diligent and
use parameterized queries instead of appending query strings together.
Is there a way to accomplish the same in Gremlin?
(I did a small test, and quite easy to get any java code to be
injected into a Gremlin query otherwise (like exit JVM etc).
Cheers,
Nicolai
Started to prototype a new semantic/reasoning application using the
Tinkerpop Graph API's and Gremlin as the query language.
I did not find any good way to do parameterized queries with Gremlin?
Background, is as this might eventually be part of a public facing web
application, I looked at potential for a SQL injection (or rather
Gremlin injection) exploit for this app. With SQL or JPA for that
matter today, in Java this is hardly an issue (if you are diligent and
use parameterized queries instead of appending query strings together.
Is there a way to accomplish the same in Gremlin?
(I did a small test, and quite easy to get any java code to be
injected into a Gremlin query otherwise (like exit JVM etc).
Cheers,
Nicolai
Russell Jurney
Feb 6, 2012, 2:45:31 AM2/6/12
to gremli...@googlegroups.com
Wow, great issue to bring up.
Sent from my iPad
James Thornton
Feb 6, 2012, 4:51:52 AM2/6/12
to gremli...@googlegroups.com
Yes, this issue as been addressed by both Neo4j Server and Rexster -- both support parameterized queries for security and performance reasons.
Just supply the "params" arg along with the "script" arg when you make a request using the Gremlin extension.
See...
* Rexster: "Script Engine Bindings" (https://github.com/tinkerpop/rexster/wiki/Gremlin-Extension)
* Neo4j Server: "Set Script Variables" (http://docs.neo4j.org/chunked/milestone/gremlin-plugin.html#rest-api-set-script-variables)
See discussions...
* https://groups.google.com/d/msg/gremlin-users/RnhiOJ67c2I/ONgAbmedOtwJ
* https://groups.google.com/d/msg/neo4j/nciMziChlc8/R6vhbk1GMA0J
* https://github.com/tinkerpop/rexster/issues/143
- James
Nicolai
Feb 6, 2012, 12:45:04 PM2/6/12
to Gremlin-users
Great, thanks, came to a similair conclusion (I sent in a parameter in
my query wrapper class called p) while this was in the moderation
queue, but good to get it confirmed, will try to use this approach as
we need to use the gremlin extension to Rexster as well for
performance here.
Right now I am subclassing the RexsterGraph and adding "proper" remote
query support, if/when stable perhaps it could be merged into the
official codebase.
Cheers,
Nicolai
On Feb 6, 1:51 am, James Thornton <james.thorn...@gmail.com> wrote:
> Yes, this issue as been addressed by both Neo4j Server and Rexster -- both support parameterized queries for security and performance reasons.
>
> Just supply the "params" arg along with the "script" arg when you make a request using the Gremlin extension.
>
> See...
>
> * Rexster: "Script Engine Bindings" (https://github.com/tinkerpop/rexster/wiki/Gremlin-Extension)
> * Neo4j Server: "Set Script Variables" (http://docs.neo4j.org/chunked/milestone/gremlin-plugin.html#rest-api-...)
>
> See discussions...
> *https://groups.google.com/d/msg/gremlin-users/RnhiOJ67c2I/ONgAbmedOtwJ
> *https://groups.google.com/d/msg/neo4j/nciMziChlc8/R6vhbk1GMA0J
> *https://github.com/tinkerpop/rexster/issues/143
>
> - James
my query wrapper class called p) while this was in the moderation
queue, but good to get it confirmed, will try to use this approach as
we need to use the gremlin extension to Rexster as well for
performance here.
Right now I am subclassing the RexsterGraph and adding "proper" remote
query support, if/when stable perhaps it could be merged into the
official codebase.
Cheers,
Nicolai
On Feb 6, 1:51 am, James Thornton <james.thorn...@gmail.com> wrote:
> Yes, this issue as been addressed by both Neo4j Server and Rexster -- both support parameterized queries for security and performance reasons.
>
> Just supply the "params" arg along with the "script" arg when you make a request using the Gremlin extension.
>
> See...
>
> * Rexster: "Script Engine Bindings" (https://github.com/tinkerpop/rexster/wiki/Gremlin-Extension)
>
> See discussions...
> *https://groups.google.com/d/msg/gremlin-users/RnhiOJ67c2I/ONgAbmedOtwJ
> *https://groups.google.com/d/msg/neo4j/nciMziChlc8/R6vhbk1GMA0J
> *https://github.com/tinkerpop/rexster/issues/143
>
> - James
James Thornton
Feb 6, 2012, 12:56:35 PM2/6/12
to gremli...@googlegroups.com
> Right now I am subclassing the RexsterGraph and adding "proper" remote
> query support, if/when stable perhaps it could be merged into the
> official codebase.
> query support, if/when stable perhaps it could be merged into the
> official codebase.
Cool. What language are you writing your client in?
- James
Reply all
Reply to author
Forward
0 new messages