Search code examples
sql-injectiongremlintinkerpopgremlin-serverazure-cosmosdb-gremlinapi

Does Tinkerpop GroovyTranslator protect against Gremlin script injection attacks?

I understand that direct gremlin scripts are susceptible to Injection attacks and parametrizing them is the best option.

My question is if creating a GraphTraversal object and running it through GroovyTranslator to arrive at the Gremlin script also susceptible to Injection?

Is something like the following safe from Gremlin Injection point of view?

    final String script = GroovyTranslator.of("g").translate(traversal .asAdmin().getBytecode());
    Client.submitAsync(script);
Solution

  • Translator implementation don't do anything in particular to detected malicious injections, but I also can't quite imagine how a constructed traversal would end up in a state where the constructed Gremlin string produced by it would contain something like that. The Translator does not evaluate any of the arguments made to any of the steps in the traversal. In other words if you had:

    gremlin> translator = GroovyTranslator.of('g')
==>translator[g:gremlin-groovy]
gremlin> x = "'bob');g.V().drop()"
==>'bob');g.V().drop()
gremlin> traversal = g.V().has('name',x)
gremlin> translator.translate(traversal)
==>g.V().has("name","'bob');g.V().drop()")
gremlin> x = "\");g.V().drop()"
==>");g.V().drop()
gremlin> traversal = g.V().has('name',x)
gremlin> translator.translate(traversal)
==>g.V().has("name","""\");g.V().drop()""")

    As you can see, in the above example, the Translator just treats that value of x wholly as a String. The Translator will however evaluate Bytecode objects as arguments, but that is expected as some steps do accept Traversal as an argument. Therefore, if you evaluated an x input yourself to Bytecode then I suppose someone could slip something in. That seems unlikely. Of course, that would mean that your input you were accepting from users would be enabling them to write their own Gremlin essentially, so I don't really think that's an injection scenario.

    Generally speaking, I think you mostly run into injection sorts of attacks in the same way you run into them with SQL, where you are manually constructing a Gremlin string and not checking input. I'd say it remains a best practice to validate your input in any case and to not dynamically evaluate any input directly (unless you are allowing users to submit their own Gremlin queries for some reason, in which case you may need additional guards depending on your use case).