msgraph-sdk-python-core
msgraph-sdk-python-core copied to clipboard
microsoftgraph
Escaping of parameters sent to graph filter queries to prevent injection attacks
Is your feature request related to a problem? Please describe. Consider following function:
def get_user_by_email(email):
return client.get(
'/users',
params={
'$select': 'displayName',
'$filter': f"mail eq '{email}'",
'$top': '10'
},
)
Some malicious actor may provide the parameter email as ' OR name='somethingelse.
It is not entirely obvious how one should protect from such injections, closest i found was https://docs.microsoft.com/en-us/graph/query-parameters#escaping-single-quotes but it's not super obvious that quotes is a 100% sure deliminator for parameters or what other security aspects that may need to be considered.
Describe the solution you'd like
- More extensive documentation around this area.
- Helper functions provided by msgraph-sdk-python-core client library to protect from such attacks. Preferably in the form of parameterized queries. Functions providing all the appropriate quoting for dynamic arguments would also help a lot.
Additional context See similar discussion and more extensive example here in the sibling dotnet client library: https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/626#issuecomment-589407477 and https://github.com/microsoftgraph/msgraph-sdk-dotnet/issues/1113
