RedisSearch via the Go-Redis driver and injection attacks

CaptainHaddock · March 13, 2024, 5:33am

I want to use the RedisSearch module to support queries/searches as shown in the code below.

I am using the Go-Redis driver, and as far as I can tell there isn’t a parameterised way to call RedisSearch with this driver (or any others?) and thus you must resort to doing a rdb.Do() command.

This potentially exposes a vulnerability to injection attacks, as the values will be input by the user via a website.

Possibly, I can sanitise these values to reduce the risk, but that also adds another step to the process and a potential point of failure.

Does anyone know if there is a different way to do this in a more parameterised way?

package main

import (
	"context"
	"fmt"
	"github.com/go-redis/redis/v8"
	"log"
)

var ctx = context.Background()

func main() {
	rdb := redis.NewClient(&redis.Options{
		Addr:     "localhost:6379",
		Password: "", 
		DB:       0,  
	})

	query := "FT.SEARCH housesIdx \"@suburb:{sydney} @price:[1000000 1200000] @bedrooms:[4 4] @garages:[1 1] @bathrooms:[2 2]\""

	res, err := rdb.Do(ctx, query).Result()
	if err != nil {
		log.Fatalf("Error executing search query: %v", err)
	}

	fmt.Printf("Search results: %+v\n", res)
}

Karl · March 14, 2024, 5:45am

Moin,
directly to your question: You can build your own checks. Check the user input for funny stuff with regex then build the query string.

Why are you using Redis? A great point for go in my oppinion is that you have access to shared memory between goroutines. No need for Redis. One thing less to care about that can break or make problems.

If you need to have in memory SQL you can also just use in memory tables from your favorite DB like Postgres or Maria.

KR

CaptainHaddock · March 23, 2024, 10:28pm

Thank you! I have taken your advice and will be using Postgres with caching using Go Maps and other Go structs/slices.