DocumentDB Sql 注入?
DocumentDB Sql Injection?
我正在尝试将一些特定于客户端的查询构建卸载到客户端。我不认为我有 sql 注入 documentdb 的危险,因为它没有 UPDATE 或 DELETE 语句,但我并不肯定。另外,不知道以后会不会增加这些。
这是我的问题的一个例子。
IceCreamApp 想要查找名称与 "choco" 类似的所有口味。风味文档看起来像这样-
{
"name": "Chocolate",
"price": 1.50
}
API 了解 DocumentDB 并知道如何从中请求数据,但它不知道任何客户端实体的实体结构。所以要在 API-
上执行此操作
_documentClient.CreateDocumentQuery("...")
.Where((d) => d.name.Contains(query));
会抛出错误(d 是动态的,name 不一定是常见的 属性)。
我可以在客户端上构建并发送它。
客户端搜索请求-
{
"page": 1,
"pageSize": 10,
"query": "CONTAINS(name, 'choco')"
}
如果不进行消毒,这将是 sql 的一大禁忌。但这对 documentdb 是否重要?我对 运行 未过滤的客户端查询有多安全?
官方文档Announcing SQL Parameterization in DocumentDB:
Using this feature, you can now write parameterized SQL queries. Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through “SQL injection” *. Let's take a look at a sample using the .NET SDK; In addition to plain SQL strings and LINQ expressions, we've added a new SqlQuerySpec class that can be used to build parameterized queries.
DocumentDB is not susceptible to the most common kinds of injection attacks that lead to “elevation of privileges” because queries are strictly read-only operations. However, it might be possible for a user to gain access to data they shouldn’t be accessing within the same collection by crafting malicious SQL queries. SQL parameterization support helps prevent these sort of attacks.
这是一个官方示例,它使用单个用户提供的作者姓名参数查询 "Books" 集合:
POST https://contosomarketing.documents.azure.com/dbs/XP0mAA==/colls/XP0mAJ3H-AA=/docs
HTTP/1.1 x-ms-documentdb-isquery: True
x-ms-date: Mon, 18 Aug 2014 13:05:49 GMT
authorization: type%3dmaster%26ver%3d1.0%26sig%3dkOU%2bBn2vkvIlHypfE8AA5fulpn8zKjLwdrxBqyg0YGQ%3d
x-ms-version: 2014-08-21
Accept: application/json
Content-Type: application/query+json
Host: contosomarketing.documents.azure.com
Content-Length: 50
{
"query": "SELECT * FROM books b WHERE (b.Author.Name = @name)",
"parameters": [
{"name": "@name", "value": "Herman Melville"}
]
}
我正在尝试将一些特定于客户端的查询构建卸载到客户端。我不认为我有 sql 注入 documentdb 的危险,因为它没有 UPDATE 或 DELETE 语句,但我并不肯定。另外,不知道以后会不会增加这些。
这是我的问题的一个例子。
IceCreamApp 想要查找名称与 "choco" 类似的所有口味。风味文档看起来像这样-
{
"name": "Chocolate",
"price": 1.50
}
API 了解 DocumentDB 并知道如何从中请求数据,但它不知道任何客户端实体的实体结构。所以要在 API-
上执行此操作_documentClient.CreateDocumentQuery("...")
.Where((d) => d.name.Contains(query));
会抛出错误(d 是动态的,name 不一定是常见的 属性)。
我可以在客户端上构建并发送它。
客户端搜索请求-
{
"page": 1,
"pageSize": 10,
"query": "CONTAINS(name, 'choco')"
}
如果不进行消毒,这将是 sql 的一大禁忌。但这对 documentdb 是否重要?我对 运行 未过滤的客户端查询有多安全?
官方文档Announcing SQL Parameterization in DocumentDB:
Using this feature, you can now write parameterized SQL queries. Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through “SQL injection” *. Let's take a look at a sample using the .NET SDK; In addition to plain SQL strings and LINQ expressions, we've added a new SqlQuerySpec class that can be used to build parameterized queries.
DocumentDB is not susceptible to the most common kinds of injection attacks that lead to “elevation of privileges” because queries are strictly read-only operations. However, it might be possible for a user to gain access to data they shouldn’t be accessing within the same collection by crafting malicious SQL queries. SQL parameterization support helps prevent these sort of attacks.
这是一个官方示例,它使用单个用户提供的作者姓名参数查询 "Books" 集合:
POST https://contosomarketing.documents.azure.com/dbs/XP0mAA==/colls/XP0mAJ3H-AA=/docs
HTTP/1.1 x-ms-documentdb-isquery: True
x-ms-date: Mon, 18 Aug 2014 13:05:49 GMT
authorization: type%3dmaster%26ver%3d1.0%26sig%3dkOU%2bBn2vkvIlHypfE8AA5fulpn8zKjLwdrxBqyg0YGQ%3d
x-ms-version: 2014-08-21
Accept: application/json
Content-Type: application/query+json
Host: contosomarketing.documents.azure.com
Content-Length: 50
{
"query": "SELECT * FROM books b WHERE (b.Author.Name = @name)",
"parameters": [
{"name": "@name", "value": "Herman Melville"}
]
}