是否可以通过动态 LINQ 进行注入? [英] Is Injection Possible through Dynamic LINQ?
问题描述
使用动态 LINQ 库(link),是否容易被注入?以及(如果是)如何防止这种情况发生?
Using the Dynamic LINQ library (link), is it vulnerable to injection? and (if so) how can this be protected against?
来自安全注意事项(实体框架)的一些背景:
LINQ to Entities 注入攻击:
LINQ to Entities injection attacks:
虽然查询组合在 LINQ to Entities 中是可能的,但它是通过对象模型 API 执行.与实体 SQL 查询不同,LINQ to Entities 查询不是使用字符串操作组成的或串联,它们不易受传统 SQL 的影响注入攻击.
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
既然动态 SQL 是使用字符串组成的,这是否意味着它可能容易受到注入向量的影响?或者 LINQ to SQL 是否会根据动态 LINQ 库中的基础数据类型自动处理您的值的参数化?
Since Dynamic SQL is composed using strings does that mean that it might be susceptible to injection vectors? Or will LINQ to SQL automatically take care of parametrizing your values based on the underlying datatype within the Dynamic LINQ library?
或者它是完全安全的,因为动态查询将在内存中而不是针对 SQL 执行(从而否定 SQL 索引的任何好处)?
Or is it entirely safe since the dynamic query will be performed in memory rather than against the SQL (thereby negating any benefits from SQL indexes)?
我一直在努力理解 DynamicLibrary.cs 代码,但我确信我很容易忽略一些东西.
I have been working through understanding the DynamicLibrary.cs code but I'm sure I could be easily overlooking something.
由于这个问题是关于动态 LINQ 库本身,这个问题可以被认为适用于 linq-to-sql 和 linq-to-entities(尽管以上参考实体框架).
As this question is about the Dynamic LINQ Library itself, this question can be considered to apply to both linq-to-sql and linq-to-entities (despite above reference to Entity Framework).
推荐答案
好吧,我不同意在 Dynamic Linq 中无法进行注入.
Well, I do not agree that the injection is not possible in Dynamic Linq.
答案中描述的内容%C6%89iamond-%C7%A4eeze%C6%A6">Ɖiamond ǤeezeƦ 是正确的,但适用于在给定语言中构建的标准 Linq - C# 或 VB.Net 或通过调用扩展方法,如 .其中 与 lambda 函数.
What described in the answer by Ɖiamond ǤeezeƦ is correct but appies to standard Linq as constructed within the given language - C# or VB.Net or by calling extension methods like .Where with lambda functions.
那么,确实,不可能注入任何东西,因为 .NET Linq 到 Sql 转换器当然写得很好.因此,SQL 注入"是不可能的,这是真的.
Then, true, it is not possible to inject anything as the .NET Linq to Sql translator is, of course, decently written. Thus, the "SQL injection" is not possible, that's true.
然而,动态 Linq 可能是Linq 注入"攻击.在 OP 引用的 linq 安全性的解释中,指出:
However, what is possible with Dynamic Linq is "Linq injection" attack. In the explanation for safety of linq quoted by OP, it is stated:
LINQ to Entities 查询不是通过使用字符串操作或串联组合而成的,它们不易受到传统 SQL 注入攻击的影响.
LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
基本上这是一个要点.如果查询是由字符串操作组成的,那么它很容易受到注入攻击.而Dynamic Linq实际上是由字符串组成的,因此很容易被注入攻击.
And basically this is a gist. If queries are composed by string manipulation then it is prone to injection attacks. And Dynamic Linq is actually composed from strings, therefore it is potentially prone to attack by injection.
显然,攻击者必须意识到您使用的是 DynamicLinq 并且可能攻击仅准备数据,从而导致有效的恶意动态 Linq 查询.
Obviously, the attacker will have to be aware of the fact that you are using DynamicLinq and could attack only preparing the data so it results in valid malicious Dynamic Linq query.
我想强调这个事实——最终的SQL是安全组成的,但是原始动态Linq是否安全取决于你.
I want to highlight this fact - the final SQL is composed safely, but whether original dynamic Linq is safe depends on you.
要使您的动态 linq 查询安全,必须对所有用户输入使用占位符.永远不要连接你的字符串!
The must to make your dynamic linq query safe is to use placeholders for all user input. Never concatenate your string!
想象以下查询:
dataset.Where("allowed == 1 and code == "" + user_entered_data + """);
如果输入没有经过清理和转义,攻击者可能会输入:
If input is not sanitized and not escaped, the attacker could potentially input:
200" or allowed == 0 and code == "200
这将导致:
allowed == 1 and code == "200" or allowed == 0 and code == "200"
为了避免这种情况,您应该使用占位符:
In order to avoid this, you should use placeholders:
dataset.Where("allowed == 1 and code == @0", user_entered_data);
DynamicLinq 将使占位符(在这种情况下:用户输入的数据)成为 lambda 参数(而不是将其连接到查询中)并依赖 Linq-To-Entities(或任何后端)安全地转换为 SQL.
DynamicLinq will make the placeholder (in this case: user-entered data) a lambda argument (instead of concatenating it into query) and depend on Linq-To-Entities (or whatever backend is) to safely convert to SQL.
这篇关于是否可以通过动态 LINQ 进行注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
