Prevent tarantool injection & unsolicited code execution

[jobs-git]

In SQL, there is what we call SQL injection, and this was mitigated by using prepared statements, in tarantool what counter measures can we use so that we can prevent code injections from unsolicited users?

[Totktonada]

Tarantool supports placeholders for parameters as for usual box.execute() requests as well as for prepared statements. Basic example:

tarantool> box.cfg{}
tarantool> box.execute([[create table bar(id integer primary key autoincrement, value varchar(100))]])
tarantool> box.execute([[insert into bar values (NULL, ?)]], {'one'})
tarantool> box.execute([[insert into bar values (NULL, ?)]], {'two'})
tarantool> box.execute([[insert into bar values (NULL, ?)]], {'three'})
tarantool> box.execute([[select * from bar]])
---
- metadata:
  - name: ID
    type: integer
  - name: VALUE
    type: string
  rows:
  - [1, 'one']
  - [2, 'two']
  - [3, 'three']
...

See more in the documentation.

See also the relevant discussion with the documentation team.

Feel free to reopen the issue if you have more questions.

[jobs-git]

I am glad that there is already an SQL prepared. Is there a native Tarantool prepared statement? Should I reopen one? @Totktonada @kyukhin

[Totktonada]

Native requests are quite straightforward: they don't require parsing and generating of bytecode. There is no need to prepare them, because it would not give any performance benefits.

[jobs-git]

I was thinking if it was possible to further strengthen tarantool security.

Native tarantool database calls might have a potential to do tarantool injection in the future.

Native tarantool prepare might be one solution to this.

[Totktonada]

I see no relation. Please, show example of potentialy vulnerable userland code and I will able to respond something more certain (at least how to write it in a safe way).