SQLInjection against CosmosDB in an Azure function

Question

I have implemented an Azure function that is triggered by a HttpRequest. A parameter called name is passed as part of the HttpRequest. In Integrat

Answer 1

If you're using Microsoft.Azure.Cosmos instead of Microsoft.Azure.Documents:

public class MyContainerDbService : IMyContainerDbService
{
    private Container _container;

    public MyContainerDbService(CosmosClient dbClient)
    {
        this._container = dbClient.GetContainer("MyDatabaseId", "MyContainerId");
    }

    public async Task<IEnumerable<MyEntry>> GetMyEntriesAsync(string queryString, Dictionary<string, object> parameters)
    {
        if ((parameters?.Count ?? 0) < 1)
        {
            throw new ArgumentException("Parameters are required to prevent SQL injection.");
        }
        var queryDef = new QueryDefinition(queryString);
        foreach(var parm in parameters)
        {
            queryDef.WithParameter(parm.Key, parm.Value);
        }
        var query = this._container.GetItemQueryIterator<MyEntry>(queryDef);
        List<MyEntry> results = new List<MyEntry>();
        while (query.HasMoreResults)
        {
            var response = await query.ReadNextAsync();
            results.AddRange(response.ToList());
        }

        return results;
    }
}

Answer 2

When the binding occurs (the data from the HTTP Trigger gets sent to the Cosmos DB Input bind), it is passed through a SQLParameterCollection that will handle sanitization.

Please view this article:

Parameterized SQL provides robust handling and escaping of user input, preventing accidental exposure of data through “SQL injection”

This will cover any attempt to inject SQL through the name property.