locked
Is the Azure Storage Client susceptible to an equivalent of SQL Injection? RRS feed

  • Question

  • The fact that I haven't been able to find an explicit answer to my question implies to me that it's a stupid one, but I'd rather look stupid now than have a security breach later.
    I have a need to allow users to enter raw XML in an ASP.NET form hosted in Azure (which means I'll have to turn off validation for that page and validate the input in my code). The XML will eventually be stored in a property on an entity in Azure Table Storage. My question is: Do I have to worry about some kind of equivalent of SQL injection with Azure Tables (or any of the storage clients)? For example, could a malicious user enter text in the XML textbox that will somehow mix up the REST query that the storage client sends to Azure and corrupt my data? Or does the Storage Client handle escaping the data for you when it builds out the query? If not, should I just use HtmlEncode and HtmlDecode before sending data out to Azure Storage?

    Mike Olson
    Software Architect - CenterX
    Tuesday, April 5, 2011 4:10 PM

Answers

  • From what I understand, your application would take raw xml as a property value and store it in the property using the storage client library?

    WCF Data Service client library interface (which Storage Client Library uses), does escape property values before sending it over the wire. However, it is always recommended that an application sanitize the input by escaping/encoding it.
    For example:
    <d:LastName><xml><somdoc>ss</somedoc></xml></d:LastName>
    Is converted to the following over the wire:
    <d:LastName>&lt;xml&gt;&lt;somdoc&gt;ss&lt;/somedoc&gt;&lt;/xml&gt;</d:LastName>

    However, if your application is responsible for writing the raw data over the wire, it is best to escape/encode the xml before sending it across. Users otherwise could send malformed xml to add/update incorrect data.

    Thanks,
    jai

    • Marked as answer by Wenchao Zeng Wednesday, April 13, 2011 3:38 AM
    Tuesday, April 12, 2011 8:43 AM

All replies

  • Hi Mike - this is an excellent question.  Could user input somehow trump the storage engine into doing something it wasn't designed to do? Perhaps.  But just as important as the storage itself, the question becomes "what will you with this data?" Display it back to a user on a browser (XSS attack)? Build an inline query with parameters taken from the Azure Storage against a SQL Azure database (SQL Injection)?   I guess the good old principle of never trusting user input applies here too.


    Herve Roggero, Blue Syntax MVP SQL Azure Co-Author: Pro SQL Azure
    Tuesday, April 5, 2011 5:34 PM
  • From what I understand, your application would take raw xml as a property value and store it in the property using the storage client library?

    WCF Data Service client library interface (which Storage Client Library uses), does escape property values before sending it over the wire. However, it is always recommended that an application sanitize the input by escaping/encoding it.
    For example:
    <d:LastName><xml><somdoc>ss</somedoc></xml></d:LastName>
    Is converted to the following over the wire:
    <d:LastName>&lt;xml&gt;&lt;somdoc&gt;ss&lt;/somedoc&gt;&lt;/xml&gt;</d:LastName>

    However, if your application is responsible for writing the raw data over the wire, it is best to escape/encode the xml before sending it across. Users otherwise could send malformed xml to add/update incorrect data.

    Thanks,
    jai

    • Marked as answer by Wenchao Zeng Wednesday, April 13, 2011 3:38 AM
    Tuesday, April 12, 2011 8:43 AM