sapiens / SqlFu

Fast and versatile .net core data mapper/micro-orm
Other
229 stars 50 forks source link

SQL Injection vulnerability #39

Closed Maarten88 closed 10 years ago

Maarten88 commented 10 years ago

This bug is quite bad. We have a query like this:

var players = db.Query<Player>(p => p.DisplayName.Contains(name));

A player has chosen DisplayName of "don't cry for me argentina" which gets translated into:

select [DisplayName],...,[Id] from [Player] where [DisplayName] like '%don't cry for me argentina%'

The single quote is not escaped! I would expect SqlFu to escape string parameters automatically like it does with sql params. It's a matter of time before someone figures out much funnier names than one with just a quote. We quickly changed the query and rolled out a hotfix:

var players = db.Query<Player>("select * from Player where name like @Name", { new Name = "%" + name + "%"}); 

which gets escaped correctly. Why are these lambda queries not also escaped?

sapiens commented 10 years ago

I've pushed a fix. It also affected StartsWith and EndsWith.

Maarten88 commented 10 years ago

Thanks for the fast response and fix!

Still, I'll be avoiding this lambda syntax from now, as it has caused unexpected problems more than once now, it's limited in scope and I think now that writing sql this way is not such a great idea.

Maarten88 commented 10 years ago

Your new Nuget has a dependency for CavemanTools = 3.4.0, the previous package had >= 3.8.1

With 3.4.0 I'll get the SemanticVersion bug back.

sapiens commented 10 years ago

I knew I left something out. I've pushed a new version with the correct dep.