Menu
I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integration section, I have used the following query to retrieve data from CosmosDB (as an input):
SELECT * FROM c.my_collection pm
WHERE
Contains(pm.first_name,{name})
As you see I am sending the 'name' without sanitizing it. Is there any SQLInjection concern here?
I searched and noticed that parameterization is available but that is not something I can do anything about here.
785
In the Azure portal, navigate to and select the function app you created previously. Select Functions, and then select the HttpTrigger function. Select Integration and + Add output. Name of the binding type to select to create the output binding to Azure Cosmos DB.
The Azure Cosmos DB output binding lets you write a new document to an Azure Cosmos DB database using the SQL API. For information on setup and configuration details, see the overview.
The Azure Cosmos DB API for NoSQL supports querying documents using SQL.
Navigate to your Azure Cosmos DB account on the Azure portal. Select Keys from the left menu, then select Regenerate Primary Key from the ellipsis on the right of your primary key. Validate that the new primary key works consistently against your Azure Cosmos DB account.
When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection that will handle sanitization.
Please view this article:
Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through “SQL injection”
This will cover any attempt to inject SQL through the name property.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
