Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Azure Cosmos DB SQL API QueryDefinition multiple parameters for WHERE IN [duplicate]

I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integration section, I have used the following query to retrieve data from CosmosDB (as an input):

SELECT * FROM c.my_collection pm 
WHERE
Contains(pm.first_name,{name}) 

As you see I am sending the 'name' without sanitizing it. Is there any SQLInjection concern here?

I searched and noticed that parameterization is available but that is not something I can do anything about here.

like image 927
Mori Avatar asked Jan 22 '18 09:01

Mori


2 Answers

When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection that will handle sanitization.

Please view this article:

Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through “SQL injection”

This will cover any attempt to inject SQL through the name property.

like image 152
Matias Quaranta Avatar answered Sep 21 '22 08:09

Matias Quaranta


If you're using Microsoft.Azure.Cosmos instead of Microsoft.Azure.Documents:

public class MyContainerDbService : IMyContainerDbService
{
    private Container _container;

    public MyContainerDbService(CosmosClient dbClient)
    {
        this._container = dbClient.GetContainer("MyDatabaseId", "MyContainerId");
    }

    public async Task<IEnumerable<MyEntry>> GetMyEntriesAsync(string queryString, Dictionary<string, object> parameters)
    {
        if ((parameters?.Count ?? 0) < 1)
        {
            throw new ArgumentException("Parameters are required to prevent SQL injection.");
        }
        var queryDef = new QueryDefinition(queryString);
        foreach(var parm in parameters)
        {
            queryDef.WithParameter(parm.Key, parm.Value);
        }
        var query = this._container.GetItemQueryIterator<MyEntry>(queryDef);
        List<MyEntry> results = new List<MyEntry>();
        while (query.HasMoreResults)
        {
            var response = await query.ReadNextAsync();
            results.AddRange(response.ToList());
        }

        return results;
    }
}
like image 27
jaybro Avatar answered Sep 21 '22 08:09

jaybro