Avoiding SQL injection in Azure DocumentDB Stored Procedures

Update:

Happy to say that as of 1/14/15 - DocumentDB does support SQL parameterization. Support has been added across the .NET, Java, Node.js, and Python SDKs, as well as the REST API. Enjoy =)

Here's an example using the .NET SDK:

IQueryable<Book> queryable = client.CreateDocumentQuery<Book>(collectionSelfLink, new SqlQuerySpec { 
                    QueryText = "SELECT * FROM books b WHERE (b.Author.Name = @name)", 
                    Parameters = new SqlParameterCollection()  { 
                          new SqlParameter("@name", "Herman Melville") 
                     } 
});

Original Answer

DocumentDB does not support SQL parametrization yet... so you will want to sanitize your inputs to avoid unintentional exposure of data on reads (e.g. for multi-tenant applications).

That being said... the DocumentDB SQL injection attack surface area is fairly limited - as DocumentDB SQL only supports read-only queries. In other words, you do not have to worry about unintentional writes/updates/deletes in the context of DocumentDB and SQL Injection.

To answer the question as it applies to the stored procedure JavaScript file:

function simple_sp(s1) {
   var context = getContext();
   var collection = context.getCollection();
   var response = context.getResponse();

   var query = { query: "select * from Families f where f.id = @id", parameters: [{ name: "@id", value: id }] };

   collection.queryDocuments(collection.getSelfLink(), 
      query, {}, 
      function(res){}
   );
}

Avoiding SQL injection in Azure DocumentDB Stored Procedures

Tags:

Sql Injection

Azure Cosmosdb

Related

Recent Posts