SQLInjection against CosmosDB in an Azure function

Question

I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integrat

Answer 1

If you're using Microsoft.Azure.Cosmos instead of Microsoft.Azure.Documents:

public class MyContainerDbService : IMyContainerDbService
{
    private Container _container;

    public MyContainerDbService(CosmosClient dbClient)
    {
        this._container = dbClient.GetContainer("MyDatabaseId", "MyContainerId");
    }

    public async Task> GetMyEntriesAsync(string queryString, Dictionary parameters)
    {
        if ((parameters?.Count ?? 0) < 1)
        {
            throw new ArgumentException("Parameters are required to prevent SQL injection.");
        }
        var queryDef = new QueryDefinition(queryString);
        foreach(var parm in parameters)
        {
            queryDef.WithParameter(parm.Key, parm.Value);
        }
        var query = this._container.GetItemQueryIterator(queryDef);
        List results = new List();
        while (query.HasMoreResults)
        {
            var response = await query.ReadNextAsync();
            results.AddRange(response.ToList());
        }

        return results;
    }
}