You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wrote the code at the end to generate a "contains" expression. But the SQL generated by linq2db did not use parameters for the words in the search, resulting in a SQL injection vulnerability.
Testing it on a Firebird database, the SQL generated did not use parameters for each word in the search.
WHERE
((1 = 0 OR Lower(t2.Location) LIKE '%in%') OR Lower(t2.Location) LIKE '%basement%')
To work around this, where the code now says:
var word = Expression.Constant(separateWord);
I replaced this with:
var word = Expression.Property(Expression.Constant(new {Value = separateWord}), "Value");
This time I get the expected parameterisation:
WHERE
((1 = 0 OR Lower(t2.Location) LIKE @p1 ESCAPE '~') OR Lower(t2.Location) LIKE @p2 ESCAPE '~')
Parameters:
Name:p1 Type:VarChar Used Value:%in%
Name:p2 Type:VarChar Used Value:%basement%
Is this expected behaviour? I was expecting that the constant would be parameterised in the generated query.
public static Expression<Func<T, bool>> ContainsAnyWords<T>(Expression<Func<T, string>> searchItem, string words)
{
var parameter = searchItem.Parameters[0];
var property = searchItem.Body;
var separateWords = words
.Split(' ')
.Where(x => !string.IsNullOrWhiteSpace(x));
var predicate = False<T>();
MethodInfo contains = typeof(string).GetMethod("Contains", new[] { typeof(string) });
MethodInfo toLower = typeof(string).GetMethod("ToLower", Type.EmptyTypes);
foreach (var separateWord in separateWords)
{
var word = Expression.Constant(separateWord);
var lowerWord = Expression.Call(word, toLower);
var lowerProperty = Expression.Call(property, toLower);
var containsExpression = Expression.Call(lowerProperty, contains, lowerWord);
var lambda = Expression.Lambda<Func<T, bool>>(containsExpression, parameter);
predicate = predicate.Or(lambda);
}
return predicate;
}
The text was updated successfully, but these errors were encountered:
linq2db escapes LIKE pattern value before adding it to query text.
The only option for SQL Injection here - error in escaping logic in general or for specific database provider, like #169
@MaceWindu Thanks for that information. Having tested the code above with some attack-type syntax can see now that it is escaped properly in the LIKE clauses and parameters are therefore not needed.
I wrote the code at the end to generate a "contains" expression. But the SQL generated by
linq2db
did not use parameters for the words in the search, resulting in a SQL injection vulnerability.Testing it on a Firebird database, the SQL generated did not use parameters for each word in the search.
To work around this, where the code now says:
I replaced this with:
This time I get the expected parameterisation:
Is this expected behaviour? I was expecting that the constant would be parameterised in the generated query.
The text was updated successfully, but these errors were encountered: