Is it possible to inject data using Dynamic LINQ?

c# dynamic-linq linq linq-to-entities linq-to-sql

Question

Is injection possible using the Dynamic LINQ library (link)? if that's the case, how can this be avoided?

Background information from Aspects of Security (Entity Framework)

LINQ to Entities injection attacks:

Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

Does the fact that Dynamic SQL is built using strings suggest that it might be vulnerable to injection vectors? Or will the Dynamic LINQ library's underlying datatype be used by LINQ to SQL to automatically parametrize your values?

Or, given that the dynamic query would be executed against memory rather than SQL (thereby removing any advantages from SQL indexes), is it completely safe?

I have been attempting to comprehend theDynamicLibrary.cs code, but I'm sure there's something I may easily be missing.

This query may be seen as pertaining to both as it concerns the Dynamic LINQ Library itself.linq-to-sql and linq-to-entities (despite the mention of Entity Framework above).

1
43
1/5/2012 7:22:40 AM

Accepted Answer

I disagree that Dynamic Linq cannot perform injections, however.

The information provided in the answer and "Diamond eeze" is accurate, but it also applies to ordinary Linq built in the respective programming language, such as C# or VB.Net, or by invoking extension methods such.Where Lambda functions are used.

The.NET Linq to Sql translator is obviously well-written, therefore it is true that nothing can be injected. It is true that this makes "SQL injection" impossible.

However, a "Linq injection" attack is conceivable with Dynamic Linq. The following is mentioned in the justification for linq's safety that the OP cites:

LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.

And that's essentially it. Injection attacks are possible when queries are built via string manipulation. Additionally, since Dynamic Linq is made out of strings, it may be vulnerable to injection attacks.

The attacker could only attack by getting the data ready to produce a legitimate malicious Dynamic Linq query, thus obviously they would have to be aware that you are using DynamicLinq.

I want to draw attention to the fact that although the final SQL is composed safely, it is uncertain whether the original flexible Linq is secure varies with you.

Use placeholders for all users' input in your dynamic linq query if you want to make it secure. Never combine strings together!

Consider the following example:

dataset.Where("allowed == 1 and code == \"" + user_entered_data + "\"");

If the input is not cleaned up and not escaped, the attacker may type:

200" or allowed == 0 and code == "200

which will lead to

allowed == 1 and code == "200" or allowed == 0 and code == "200"

You need to use placeholders to prevent this:

dataset.Where("allowed == 1 and code == @0", user_entered_data);

Instead of concatenating the placeholder (in this example, user-entered data) into the query, DynamicLinq will treat it as a lambda parameter and rely on Linq-To-Entities (or whatever backend is) to properly convert to SQL.

32
5/23/2017 12:02:23 PM

Popular Answer

I've learned through looking at theSystem.Data.Linq namespace is that a LINQ query is used to create a SQL object tree, and as part of this process theSqlParameterizer To replace all inline values with arguments, class is invoked. The parameters are then given the values. Consequently, SQL injection attacks ought to be impossible.



Related Questions





Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow