Azure 函数中针对 CosmosDB 的 SQLInjection [英] SQLInjection against CosmosDB in an Azure function

问题描述

我已经实现了一个由 HttpRequest 触发的 Azure 函数.名为 name 的参数作为 HttpRequest 的一部分传递.在 Integration 部分，我使用以下查询从 CosmosDB 检索数据(作为输入):

I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integration section, I have used the following query to retrieve data from CosmosDB (as an input):

SELECT * FROM c.my_collection pm 
WHERE
Contains(pm.first_name,{name}) 

如您所见，我发送的名称"没有对其进行消毒.这里有任何 SQLInjection 问题吗?

As you see I am sending the 'name' without sanitizing it. Is there any SQLInjection concern here?

我搜索并注意到 parameterization 可用，但这不是我可以在这里做的任何事情.

I searched and noticed that parameterization is available but that is not something I can do anything about here.

推荐答案

发生绑定时(来自 HTTP 触发器的数据被发送到 Cosmos DB 输入绑定)，它通过 SQLParameterCollection 将处理清理.

When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection that will handle sanitization.

请查看这篇文章:

参数化 SQL 提供对用户输入的稳健处理和转义，防止通过SQL 注入"意外暴露数据

Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through "SQL injection"

这将涵盖通过 name 属性注入 SQL 的任何尝试.

This will cover any attempt to inject SQL through the name property.

这篇关于Azure 函数中针对 CosmosDB 的 SQLInjection的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！