Gremlin Injection Attacks?
Is anyone talking about or looking into attacks and mitigations for Gremlin Injection Attacks? That is, just like all the commentary on how to design your PHP-based web frontend with Postgres backend to not be a sucker for an easy SQL Injection Attack, is anyone looking at how to handle your users of your Gremlin Server when those users give you Groovy lambdas that are rich in aggressive behavior?
Solution:Jump to solution
I think this goes back to a different thread we had where I mentioned that security was a reason driving an idea that lambdas should not be allowed outside of embedded use cases and why they should be removed otherwise. For some lightweight security you can try to sandbox the
ScriptEngine in the server: https://tinkerpop.apache.org/docs/current/reference/#script-execution but it is not a perfect solution and really just a reference implementation that we have. Some commercial offerings in the...4 Replies
Solution
I think this goes back to a different thread we had where I mentioned that security was a reason driving an idea that lambdas should not be allowed outside of embedded use cases and why they should be removed otherwise. For some lightweight security you can try to sandbox the
ScriptEngine in the server: https://tinkerpop.apache.org/docs/current/reference/#script-execution but it is not a perfect solution and really just a reference implementation that we have. Some commercial offerings in the past have built on that model to varying levels of success, though I'm not wholly sure any implementation was bulletproof. most simply don't allow lambdas at all, which is probably the best option.Yes, I saw your mention of the risk on the other thread. I'm looking at a cybersecurity questionnaire and was curious if the Gremlin community had any horror stories here.
i can't recall of a single report of one, but obviously that doesn't mean it didn't happen.
@spmallette - Likely something that should be considered if/when we allow the ability for a user to pass a traversal as an argument for things like
I just saw an example yesterday where a user was attempting to include a traversal within a map that was being fed to
V() of has(). But as of the implementation today, these filters do not accept traversals. That makes injection attacks fairly uncommon when you disable lambdas.I just saw an example yesterday where a user was attempting to include a traversal within a map that was being fed to
mergeV and that too does NOT work. So the threat surface area for injection with Gremlin is fairly low.