Force.com-Toolkit-for-NET
Force.com-Toolkit-for-NET copied to clipboard
wadewegner
Sql (soql) injection in the QueryByIdAsync method
This method is vulnerable by soql (sql) injection as it forms a string without any proper encoding or validation.
public async Task<T> QueryByIdAsync<T>(string objectName, string recordId)
var query = string.Format("SELECT {0} FROM {1} WHERE Id = '{2}'", fields, objectName, recordId);
It will be also good to provide parameters that are automatically properly encoded in QueryAsync and similar methods.
On my current project I had exactly the same need. When it comes to the query above, we have there two kinds of query parameters: one kind is used to construct query (fields and objectName) and these should not be escaped and properly encoded, the second type (id) provides data to the query and should be properly escaped and encoded. I created a small at hoc library that uses dapper like interface to pass parameters:
client.Query("select field from object where Id = @id", new { id="abc" });
I would like to contribute back but this must be accepted by my employer so it may take a while.
I was investigating this issue myself. We have code like the following
client.Query("SELECT id, name FROM Account WHERE name = '" + name + "'");
So if name is set to something like Jef'; DELETE FROM Account; -- the toolkit will NOT mitigate that?
Note the query input is escaped in the "QueryAsync" method using Uri.EscapeDataString:
var query = string.Format("SELECT {0} FROM {1} WHERE Id = '{2}'", fields, objectName, recordId);
var results = await QueryAsync<T>(query).ConfigureAwait(false);
public Task<QueryResult<T>> QueryAsync<T>(string query)
{
if (string.IsNullOrEmpty(query)) throw new ArgumentNullException("query");
return _jsonHttpClient.HttpGetAsync<QueryResult<T>>(string.Format("query?q={0}", Uri.EscapeDataString(query)));
}
