Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grex should be able to handle bound parameters #28

Open
jbmusso opened this issue Apr 23, 2014 · 1 comment
Open

Grex should be able to handle bound parameters #28

jbmusso opened this issue Apr 23, 2014 · 1 comment
Assignees
@jbmusso
Labels
enhancement
Milestone
v0.7.0

Comments

@jbmusso
Copy link
Owner

jbmusso commented Apr 23, 2014

The Gremlin extension API allows for parameters to be sent as a map bound to the script engine (see https://github.com/tinkerpop/rexster/wiki/Gremlin-Extension#gremlin-extension-api).

Grex currently does not support bound parameters, making it vulnerable to Gremlin-injection vulnerabilities (just like SQL-injections).

This issue should be addressed as soon as possible, though it may require a bit more refactoring regarding the way arguments are currently handled.

Thoughts welcome!
@jbmusso jbmusso added this to the v0.7.0 milestone May 22, 2014
@jbmusso jbmusso self-assigned this May 22, 2014
@jbmusso
Copy link
Owner Author

jbmusso commented Jun 14, 2014

This has been partially added in the develop branch. Bound parameters are supported when using the string formatted version of query(). See README.md in the develop branch.

Further changes/improvements on this topic (ie. bound parameters with gRex helpers) will be reflected in this discussion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jbmusso jbmusso

Labels
enhancement
Projects
None yet
Milestone
v0.7.0
Development

No branches or pull requests
1 participant
@jbmusso