Auto interface SQL injection?
zhangb99 opened this issue · comments
We have an auto interface like this
[Sql("GetSomething")]
public Task<Something> GetSomething(string id);
[Sql("SELECT something FROM somewhere WHERE id=@id")]
public Task<Something> SelectSomething(string id);
Whether SQL attribute contains a proc, or a parameterized text, I would expect it being safe against SQL injection. But we were surprised, it actually trying to execute additional SQL. Say id=abc returns some data
If you pass id=abc';IF%20(1=1)%20WAITFOR%20DELAY%20'0:0:5';-- it waits for 5 seconds
If you pass id=abc';select%20cast(user%20as%20int);-- it shows current SQL service account name.
I tried all combinations, explicit parameter, specify CommandType, Proc vs Text, it appears auto interface SQL Attribute always tries to construct dynamic SQL, which result in SQL injection.
Did I miss something? Or using this the wrong way?
Thanks.
Sorry, my bad, I had a dynamic SQL within the proc.