How do we handle injection attacks?

[ffMathy]

How do we handle injection attacks? In SQL, you can inject something into a query from a dynamically provided value if it's concatenated into the query.

Does Ftrack support a way to do this safely?

[lucaas]

The API query language is not SQL, but a custom language that is parsed into a internal representation on the backend.

On the backend we apply permission checks on the query and returned entities, to guarantee that the data returned only contains information that the API user is allowed to see. If the query run as the user then they are not able to modify it to get access to more data than what their permissions allow.

If you are not using the users credentials, then the user will be able to access more data because it is bypassing ftrack's permissions.

The ftrack-javascript client does not have any method of preventing injections as we haven't found it necessary. If you build UI’s which have free text search for example, I recommend that you escape quotes within the value and surround the value with quotes in the query to avoid issues with malformed queries. As if this is enough to prevent an injection, I can not say.

[ffMathy]

The problem is that much of our system consists of actions. A user may invoke an action, but the system that performs the mutations in Ftrack has higher access than the user.

That's intentional. We want to lock down certain actions to be system-only. How can we retain this while still allowing the system to be safe?

For instance, it would be less than ideal if user A would be able to gain insight into something from user B.

Some examples I can think of:

• Doing a select secret_stuff from SomeType where stuff='<dynamic value>' and then providing the dynamic value ' or __entity_type__ not in ', leading to a resulting query of select secret_stuff from SomeType where stuff='' or __entity_type__ not in ''. This makes it select the first record instead of the relevant one.
• Mutating some kind of value, but then using the same trick to do it on behalf of the first match instead.

As long as you can confirm that it is enough to escape the quotes, then that's good enough for us.