AT
Apache TinkerPopLonnie VanZandt
Gremlin Injection Attacks?
Is anyone talking about or looking into attacks and mitigations for Gremlin Injection Attacks? That is, just like all the commentary on how to design your PHP-based web frontend with Postgres backend to not be a sucker for an easy SQL Injection Attack, is anyone looking at how to handle your users of your Gremlin Server when those users give you Groovy lambdas that are rich in aggressive behavior?
Solution:
I think this goes back to a different thread we had where I mentioned that security was a reason driving an idea that lambdas should not be allowed outside of embedded use cases and why they should be removed otherwise. For some lightweight security you can try to sandbox the
ScriptEngine in the server: https://tinkerpop.apache.org/docs/current/reference/#script-execution but it is not a perfect solution and really just a reference implementation that we have. Some commercial offerings in the...Solution
spmallette•82d ago
I think this goes back to a different thread we had where I mentioned that security was a reason driving an idea that lambdas should not be allowed outside of embedded use cases and why they should be removed otherwise. For some lightweight security you can try to sandbox the
ScriptEngine in the server: https://tinkerpop.apache.org/docs/current/reference/#script-execution but it is not a perfect solution and really just a reference implementation that we have. Some commercial offerings in the past have built on that model to varying levels of success, though I'm not wholly sure any implementation was bulletproof. most simply don't allow lambdas at all, which is probably the best option.Lonnie VanZandt•82d ago
Yes, I saw your mention of the risk on the other thread. I'm looking at a cybersecurity questionnaire and was curious if the Gremlin community had any horror stories here.
spmallette•82d ago
i can't recall of a single report of one, but obviously that doesn't mean it didn't happen.
triggan•81d ago
@spmallette - Likely something that should be considered if/when we allow the ability for a user to pass a traversal as an argument for things like
I just saw an example yesterday where a user was attempting to include a traversal within a map that was being fed to
V() of has(). But as of the implementation today, these filters do not accept traversals. That makes injection attacks fairly uncommon when you disable lambdas.I just saw an example yesterday where a user was attempting to include a traversal within a map that was being fed to
mergeV and that too does NOT work. So the threat surface area for injection with Gremlin is fairly low.Apache TinkerPop is an open source graph computing framework and the home of the Gremlin graph query language.
1.3KMembers
View on DiscordWant results from more Discord servers?
More PostsReturned vertex properties (JS client)Hi, I've got a question regarding the returned vertex value when using the JS client. How come non-aAnyone using Tinkerpop docker as a local Cosmos replacementRunning into some random issues. Looking for tips and tricks.Configuring Websockets connection to pass through a proxy serverHey,
I'm working on making G.V() fully proxy aware, but I can't seem to get websockets connection tpython goblin vs spring-data-goblin for interactions with gremlin serverI want an OGM to interact with my gremlin server. What would be a good choice?Is there any open source version of data visualizer for aws neptune?Is there any open source version of data visualizer for aws neptune. I'll need it since it essentialDynamic select within query not working.Any insights or help would be greatly appreciated.
I have to pass a list of lists in the format beAdding multiple properties to a vertex using gremlin-goHello Community,
I have a question regarding how multiple properties can be added to a vertex using Is it possible to walk 2 different graphs using custom TraversalStrategy in Gremlin?I have 2 different graphs in 2 different Neptune cluster. Both of them can have few reference verticSideEffect a variable, Use it later after BarrierStep?I seek a query that builds a list and then needs to both sum the list's mapped values and divide theMemory issue on repeatI am traversing all nodes occuring in the same cluster given one of the nodes in that cluster.
SurpWhich database should i use for my DJ set planning software?Hi, i want to develop a software that lets DJs plan a set (i.e. playlist) and i'm wondering if graphHow will i add unique values to the vertices or edge properties in NeptuneI can't get a doc regarding adding unique data through gremlin. Is there any way to do it, other thaNot getting result in hasId() but id().is() worksI don't get any response using g.V().hasId(48). But when i use g.V().id().is(48). it shows output. Sdotnet `Enumeration has not started. Call MoveNext` if I try to enumerate over a resultI recently try to use gremlin to created a graph and query this graph. Currently I get it working to