What could possibly go wrong. Little Bobby Tables would be proud.
Great idea. How can we submit this to all AI scrapers?
/cybersec red teamer
I’m 100% for this. Because we’ll find out VERY quickly what sites are dumb enough to do this. And then we know to stay away from them! :-D
No one gonna make an anal joke?
Hilariously enough, just today I read a blog post about a service where the client interacts with the database directly - https://clickhouse.com/blog/building-a-paste-service-with-clickhouse. While it’s not your traditional OLTP database, it still kinda fits.
Why not?
We did that for a Plotly dashboard in Python. We copied the database into a read-only in-memory sqlite database (it is quite small, only a couple thousand entries) to prevent any damages outside the dashboard. The data only gets updated every couple of days. You could skip this step. Then with sqlite you can restrict what action a query can use (SELECT, JSON, etc.) and you can restrict the instructions per query to prevent denial of service. It works like a charm and is much simpler than providing a REST API. Also the user might already know SQL.
I am actually planning something similar for a task management web app I am building at the moment (additionally to providing a REST API). No need to learn another query language like in Jira.
Couple of reasons of varying importance:
- Security. Even when you limit operations or table access it’s very easy to mess something up. Some new employee starts storing sensitive data in the wrong place or a db admin accidentally turns off the wrong permissions, etc…
- It’s secretly more overengineered than a standard api despite looking simpler. If your app needs extremely robust query capabilities then you probably have a use case for an entire analytics stack and could use an open source option. Otherwise your users probably just need basic search, filtering, sorting, etc…
- Ungodly, Flex Tape tier tight coupling. Part of the purpose of an api is to abstract away implementation details and present a stable contract. Now if you want to migrate/upgrade the database or add a new data source, everyone has to know about it and it’s potentially a major breaking change.
- Familiarity. If someone else steps in to maintain it it’s much easier to get up to speed with a more standard stack. You don’t need a seven layer salad of enterprise abstraction bullshit, but it’s useful to see a familiar separation of auth, queries, security, etc…
- Having the option to do business logic outside of the database can save countless headaches. Instead of inventing views or kludging sprocs to do some standard transformation, you can pull in a mature library. Some things, such as scrubbing PII, are probably damn near impossible without a higher tier layer to work in.
- Client support. Your browser/device probably has a few billion options for consuming a REST/HATEOAS/graphql/whatever api. I doubt there’s many direct sql options with wide support.
I probably wouldn’t do it outside of a tiny solo project. There are plenty of frameworks which do similar things (such as db driven apis) without compromising on flexibility, security or features.
deleted by creator
I would honestly prefer it if more websites just did that and gave you access to whatever they have about you in their database. Would be much easier to figure out which data they actually store about me. If you set up the access lsits appropriately it could be OK from the security perspective too (of course better to do it over something other than SQL, but who am I to judge).
Chan I use different database name?
also stop putting in extra work to handle queries; the user knows what they want so let them enter the queries themselves and save development time. database sanitization is just pointless busywork.
I mean…. Let’s say you set up a Postgres user for all of your application users, with appropriate roles and row level security policies, you could actually do it without Bobby tables issues. I think.
only good things could be happening in the anal database
I did this just to reduce network latency. It’s not for public use, and tbh, I don’t think you can even get at it from outside the VPN.
Pentesters: “Bet”
I haven’t been down to test their public wifi in the cafe to see if that can access it.
The guy who installed it used to work for us and is a known clown, so it’s entirely possible.
Although if it is, there’s way worse things they can do from there. Like connect to the actual database for a start.
Does the database use the same authentication and permissions as the API? If the API authenticates against the DB with a technical user, it may be still be an exploitable vulnerability for people who can’t access the DB directly but can access the API. I don’t know what database it is, what other databases run on the same server and what privileges might be achievable or escalatable, but generally “there are worse weaknesses” isn’t a solid security policy.
You could give me a VPN access and I’ll take a look around :p
(Please don’t, actually – in case it needs to be said, running pentests on prod is a dangerously bad idea already even before we get to the whole “trusting a stranger on the Internet just because they sound sorta knowledgeable” issue)
some of the comments here are concerning…
Yeah, if I heard a junior dev say that in earshot I’ll be pulling them into a room for the list-of-reasons-that’s-dumb. Even the AI code assistants would directly say it’s not advisable.
Programmer Shitposting
Stop over-engineering shit, just do everything client-side like McDonald’s: https://bobdahacker.com/blog/mcdonalds-security-vulnerabilities
My friend who helped me research the OAuth vulnerabilities was let go for “security concerns from corporate”
Good old shooting the messenger.
I mean, they were an employee who was exploring security vulnerabilities with a non-employee who has a blog. I would have fired them too.
It is indeed a very risky move without a lot to gain for him personally. But I could guess McDonald’s would have forced him to ignore it and shut up about it if he disclosed this to the higher ups himself, in which case I would have gladly left myself instead.
