While using https://github.com/sewenew/redis-plus-plus as library for talking to redis, the following question came up. How would you escape user send data, which should be saved as a value of e.g. a json object (in order to not allow redis command injection)?
json.set doc $ '{"key": "value"}'
The user could send:
val\"ue
as a new value for key.
I'm using the raw command for json.set in redis-plus-plus and had to pass it like this in order to get processed correctly by redis (value below would be the string val"ue):
m_pDb->jsonSet(key, "$.key", "\"" + value + "\"");
which calls this funtion:
void result(const std::vector<std::string>& cmd)
{
auto val = m_pRedis->command(cmd.cbegin(), cmd.cend());
ue could now be interpreted as further redis command.
If I'm not wrong the command would at the end be like this:
json.set doc $.key "val"ue"
The point is, it should not be possible to "escape" out of the value and cause an parser error or whatever.
Is value passed wrong? Is there some build in escaping?
Should every possible injection escaped by the developer?