Dgraph DQL Injection Prevention

I want to add DQL injection prevention logic to my application that uses Dgraph as the only database.
Is there any sheet that describes important characters to scan?
What is the best practice to ensure the security of a Dgraph Application?
Thank you.

No, there is none, cuz DQL has no exploit in the language. It has a structural syntax that prevents any attempt to do unwanted patterns. It is impossible to run a statement in any input.

Ps. Not all below are Dgraph related.

  1. Put your DB behind a firewall and other layers of common security.
  2. Always put a middleware between your application and Dgraph. A simple HTTP API or even GraphQL is enough. (Use Dgraph’s GraphQL)
  3. Avoid sequential IDs or expose UIDs to the end-user. This is valid for any DB out there.
  4. Use GraphQL Vars and DQL Vars all the time.
  5. Choose a good auth strategy.
  6. If you are going to use a stateless auth, master it first. Stateless auth is dangerous. JWT is stateless, but if you follow the letter you gonna be fine.
  7. Avoid any Query string over URL. This isn’t Dgraph related, but I personally think it is a bad practice. Only specific cases I would use it.

See? most of it is a pure Sysadmin job. If you have done the homework, your cluster is safe.


1 Like