Is Injection Possible through Dynamic LINQ?

Question

Using the Dynamic LINQ library (link), is it vulnerable to injection? and (if so) how can this be protected against?

Some background from Security Considerations (Entity Framework):

LINQ to Entities injection attacks:

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

Since Dynamic SQL is composed using strings does that mean that it might be susceptible to injection vectors? Or will LINQ to SQL automatically take care of parametrizing your values based on the underlying datatype within the Dynamic LINQ library?

Or is it entirely safe since the dynamic query will be performed in memory rather than against the SQL (thereby negating any benefits from SQL indexes)?

I have been working through understanding the DynamicLibrary.cs code but I'm sure I could be easily overlooking something.

As this question is about the Dynamic LINQ Library itself, this question can be considered to apply to both linq-to-sql and linq-to-entities (despite above reference to Entity Framework).

Answer 1

Well, I do not agree that the injection is not possible in Dynamic Linq.

What described in the answer by Ɖiamond ǤeezeƦ is correct but appies to standard Linq as constructed within the given language - C# or VB.Net or by calling extension methods like .Where with lambda functions.

Then, true, it is not possible to inject anything as the .NET Linq to Sql translator is, of course, decently written. Thus, the "SQL injection" is not possible, that's true.

However, what is possible with Dynamic Linq is "Linq injection" attack. In the explanation for safety of linq quoted by OP, it is stated:

LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

And basically this is a gist. If queries are composed by string manipulation then it is prone to injection attacks. And Dynamic Linq is actually composed from strings, therefore it is potentially prone to attack by injection.

Obviously, the attacker will have to be aware of the fact that you are using DynamicLinq and could attack only preparing the data so it results in valid malicious Dynamic Linq query.

I want to highlight this fact - the final SQL is composed safely, but whether original dynamic Linq is safe depends on you.

The must to make your dynamic linq query safe is to use placeholders for all user input. Never concatenate your string!

Imagine the following query:

dataset.Where("allowed == 1 and code == \"" + user_entered_data + "\""); 

If input is not sanitized and not escaped, the attacker could potentially input:

200" or allowed == 0 and code == "200 

which will result in:

allowed == 1 and code == "200" or allowed == 0 and code == "200" 

In order to avoid this, you should use placeholders:

dataset.Where("allowed == 1 and code == @0", user_entered_data); 

DynamicLinq will make the placeholder (in this case: user-entered data) a lambda argument (instead of concatenating it into query) and depend on Linq-To-Entities (or whatever backend is) to safely convert to SQL.