search

enisn / AutoFilterer

AutoFilterer is a mini filtering framework library for dotnet. The main purpose of the library is to generate LINQ expressions for Entities over DTOs automatically. The first aim is to be compatible with Open API 3.0 Specifications
MIT License
458 stars 37 forks source link

Bug: constants instead of parameters #68

Closed denis-tsv closed 10 months ago

denis-tsv commented 11 months ago

Now Autofilterer generates LINQ expression using constants. 

SELECT p."Name" FROM Products p WHERE p."Name" = 'SomeName'

This expression translated to SQL query with hardcoded values. It allows to execute SQL injections. Also if queries like this will be logged at production environment then sensitive data like bank card number also will be logged. It is needed to replace constants by parameters.

SELECT p."Name" FROM Products p WHERE p."Name" = $1

To replace constant by parameter in SQL query it is needed to replace Expression.Constant by Expression.Property.

enisn commented 11 months ago

Hi @denis-tsv

AutoFilterer doesn't generate any SQL query. AutoFilterer builds Lambda Expressions only. The SQL query is generated by Entity Framework. You probably configure your Entity Framework to build SQL as you desire.

AutoFilterer generates only something like that: .Where(x => x.Name == "SomeName") And Entiy Framework converts that expression to: Select "Name From ....

denis-tsv commented 11 months ago

Yes, I know that Autofilterer generates Expression. But it generates expression which translated by EF to SQL with hardcoded constants instead of parameters. If we write dbContext.Products.Where(x => x.Name == filter.Name).ToList() then EF will generate SQL with parameter SELECT Name FROM Products WHERE Name = @param1 But if we use AutoFilterer dbContext.Products.ApplyFilter(filter).ToList() then EF will generate SQL with hardcoded constant SELECT Name FROM Products WHERE Name = 'SomeName'

If it better to fix Autofilter to generate Expression which will be translated to SQL with parameters instead of SQL with constants

enisn commented 11 months ago

That makes sense, I'll work on it. Thanks for your explanation 🙏

enisn commented 11 months ago

Here: https://github.com/enisn/AutoFilterer/blob/66ca12f1c817946c7f88995def42f17a50f8318f/src/AutoFilterer/Attributes/OperatorComparisonAttribute.cs#L25

We just pass the parameter from the filter object as Constant, it should be parameter of filter object instead of getting data of property and passing it as constant.

It should be passed something like that from FilterBase:

Expression.Property(Expression.Constant(this), filterProperty)

I'll work on it asap

enisn commented 11 months ago

Some breaking-changes are required, so I'll release the new infrastructure as v3.0

enisn commented 10 months ago

Finally, I just released a pre-release version 3.0.0-pre.1

All the tests are passed but still, I can't be sure it's stable until it's used and confirmed. So, you can try if it's ok with the new version