Skip to content

Fix CQL injection in Connection keyspace escaping#758

Open
mykaul wants to merge 1 commit intoscylladb:masterfrom
mykaul:fix/cql-injection-keyspace-escape
Open

Fix CQL injection in Connection keyspace escaping#758
mykaul wants to merge 1 commit intoscylladb:masterfrom
mykaul:fix/cql-injection-keyspace-escape

Conversation

@mykaul
Copy link

@mykaul mykaul commented Mar 22, 2026

Summary

  • Escape double quotes (") as "" in keyspace names when constructing USE statements in Connection.set_keyspace_blocking and Connection.set_keyspace_async, preventing CQL injection
  • This is the Python equivalent of the vulnerability fixed in the Go driver: fix: escape double quotes in UseKeyspace to prevent CQL injection gocql#783
  • Add unit tests verifying that both methods correctly escape keyspace names containing double quotes

Details

The set_keyspace_blocking and set_keyspace_async methods in cassandra/connection.py construct CQL USE statements by directly interpolating the keyspace name into 'USE "%s"' without escaping embedded " characters. A keyspace name containing " produces malformed or injectable CQL.

The higher-level Session.set_keyspace already handles this correctly via protect_name(), but these lower-level connection methods are called directly from pool management code (cassandra/pool.py) and cassandra/cluster.py, bypassing that protection.

The fix escapes " as "" per CQL quoted-identifier rules, consistent with the existing escape_name() function in cassandra/metadata.py.

@mykaul mykaul requested a review from Copilot March 22, 2026 15:08
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a CQL injection vector in the low-level Connection.set_keyspace_blocking / Connection.set_keyspace_async methods by properly escaping embedded double quotes in keyspace names when constructing USE statements.

Changes:

  • Escape " as "" when building USE "<keyspace>" in both blocking and async keyspace setters.
  • Add unit tests asserting the produced USE query correctly escapes keyspace names containing ".

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
cassandra/connection.py Escapes double quotes in keyspace names before interpolating into USE statements.
tests/unit/test_connection.py Adds unit coverage ensuring both blocking and async code paths emit correctly-escaped USE queries.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mykaul
Fix CQL injection in Connection.set_keyspace_blocking and set_keyspac…
3281c9f 
…e_async

Escape double quotes in keyspace names when constructing USE statements
to prevent CQL injection. A keyspace name containing '"' would produce
malformed or injectable CQL (e.g., USE "foo"bar"). This is the Python
equivalent of the vulnerability fixed in the Go driver (gocql#783).

The fix escapes '"' as '""' per CQL quoted-identifier rules, matching
the existing escape_name() function in cassandra/metadata.py.
@mykaul mykaul force-pushed the fix/cql-injection-keyspace-escape branch from 6fafe05 to 3281c9f Compare March 22, 2026 16:27
@mykaul mykaul requested a review from Copilot March 22, 2026 16:33
Copilot AI reviewed Mar 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Lorak-mmk
Lorak-mmk reviewed Mar 23, 2026
View reviewed changes
Copy link

@Lorak-mmk Lorak-mmk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a test that calls Session.set_keyspace with such name?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lorak-mmk Lorak-mmk Lorak-mmk left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mykaul @Lorak-mmk