SQL Injec... I mean... Lucene injection in Search method

1,524 views
Skip to first unread message

Mircea Chirea

unread,
Feb 3, 2013, 8:36:43 AM2/3/13
to rav...@googlegroups.com
Simply: try using Search for "test[". You'll get a parse error. I am wondering, is this by design? Shouldn't the Search method escape its input first?
RavenInjection.zip

Bernhard Glück

unread,
Feb 3, 2013, 8:57:52 AM2/3/13
to rav...@googlegroups.com
I don't really see the problem here. 

a) Lucene Search Syntax is strictly read only -> No way to modify data so you're safe there
b) Gaining more information: This is a database, you have to do that yourself anyway, because security needs are determined by your application, ravendb has to allow every query possible.


2013/2/3 Mircea Chirea <chirea...@gmail.com>
Simply: try using Search for "test[". You'll get a parse error. I am wondering, is this by design? Shouldn't the Search method escape its input first?

--
You received this message because you are subscribed to the Google Groups "ravendb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Mircea Chirea

unread,
Feb 3, 2013, 9:33:40 AM2/3/13
to rav...@googlegroups.com
inline


On Sunday, February 3, 2013 3:57:52 PM UTC+2, Gluber wrote:
I don't really see the problem here. 

Exceptions I have to handle myself :P
 

a) Lucene Search Syntax is strictly read only -> No way to modify data so you're safe there 
b) Gaining more information: This is a database, you have to do that yourself anyway, because security needs are determined by your application, ravendb has to allow every query possible.


Fair enough. But if there are methods to programatically build the query, why should these methods accept query syntax?

Bernhard Glück

unread,
Feb 3, 2013, 1:21:33 PM2/3/13
to rav...@googlegroups.com
Because sometimes it might be convenient to build them up dynamically .. e.g building a web based ui to compose queries. or storing query definitions somewhere outside of your source code ( e.g in the database itself for example for something like "save recent queries" feature.


2013/2/3 Mircea Chirea <chirea...@gmail.com>

Mircea Chirea

unread,
Feb 3, 2013, 3:18:49 PM2/3/13
to rav...@googlegroups.com
I suppose there is no function I can call to escape the query or something like that, right?

Oren Eini (Ayende Rahien)

unread,
Feb 3, 2013, 4:14:10 PM2/3/13
to ravendb
RavenQuery.Escape

Mircea Chirea

unread,
Feb 4, 2013, 4:51:30 AM2/4/13
to rav...@googlegroups.com
Oh... well thanks :)
Reply all
Reply to author
Forward
0 new messages