1

I've made the ability to sort page content dynamically through two query strings and dynamic LINQ. Today I just realized I can use this in an unintended way.

Intended

Typically I would provide the query string parameters Sort.Field=SomeField and Sort.Direction=desc and this would allow the sorting to be set via query.OrderBy(field + " " + direction) in the code.

Unintended

Today I learned I can provide something like Sort.Field=Modified.On != null ? Modified.On : Created.On and Sort.Direction=desc.

Being able to do this isn't dangerous itself, but it has left me feeling a bit uneasy as to what is possible with Dynamic LINQ.

Are there any other security issues that can occur that I never intended, via this injections of sorts?

Note

I did read this question/answer but that seems to be more aimed at escaping characters, where my concern is what dynamic LINQ's OrderBy function is capable of.

Shelby115
  • 2,816
  • 3
  • 36
  • 52
  • Starting to think that it's not going to be as dangerous as I first thought, since this will be using LINQ to SQL the user won't even be able to do a simple `Sort.Field=Modified.On.ToString()` so they're restricted to actions that LINQ to SQL will allow. Still not sure of the scope of that though. – Shelby115 May 01 '18 at 19:58
  • 1
    LINQ is different than string concatenation. When you send a raw SQL query to the server, the server parses that query into commands. The danger is not properly protecting your string concatenation and allowing a malicious actor to inject commands into your original query. With LINQ you are building up a sequence of code items via control flow in your own code. These code items aren't parsed by an interpreter; rather the code items are converted into equivalent SQL. So one cannot inject foreign commands into your query because you've effectively hard-coded the possible query(ies) in your code. – Kenneth K. May 01 '18 at 20:03
  • Yeah, I guess the worst they could do is figure out a field name you aren't displaying and sort by it. Tried doing some stuff like `Sort.Field=new Timestamp()` and it just gave me `syntax error` so I think my worries might have been for nothing. – Shelby115 May 01 '18 at 20:07
  • @KennethK.You should make your comment an answer. – slugster May 01 '18 at 20:22
  • @KennethK. "one cannot inject foreign commands into your query " that's not completely true. If you use dynamic linq for `Where` for example - one can inject foreign (LINQ) commands if you are not careful (not using parameters, just like with sql injections). – Evk May 01 '18 at 20:50
  • @Evk I may be misunderstanding "dynamic LINQ" then. I've understood dynamic LINQ to be continually building up IQueryables until you finally execute a `ToList`/`ToArray` (i.e. force query execution). – Kenneth K. May 01 '18 at 20:57
  • 2
    @KennethK. dynamic linq, at least in context of this question, is when you pass raw strings to linq functions (like `.Where("UserID = 1")`) and they are parsed to expressions. There are several libraries for that, like 'System.Linq.Dynamic'. – Evk May 01 '18 at 21:01
  • 1
    @Evk OK, then I agree that a similar security concern exists. – Kenneth K. May 01 '18 at 21:04

0 Answers0