0

I have been searching the internet for WiQL injection protection guides and have not found anything yet. This is for the Azure Dev Ops (ADO) previously known as Visual Studio Team Services (VSTS) API.

For this code, how should I prevent WiQL injection? The documentation does not show anything about preventing injection attacks here. What is the advice here? Just prevent ' characters?

        string projectName = "user supplied input";
        string tenantId= "user supplied input";

        var wiql = new Wiql()
        {
            Query = $@"Select [Id] From WorkItems 
                        Where [System.TeamProject] = '{projectName}' 
                        And [Custom.TenantId] = '{tenantId}'
                        Order By [State] Asc, [Changed Date] Desc"
        };

        // create instance of work item tracking http client
        var adoUri = new Uri($"{VSTS_URL}");
        using (var trackingClient = new WorkItemTrackingHttpClient(adoUri, credentials))
        {
            // execute the query to get the list of work items in the results
            var result = await trackingClient.QueryByWiqlAsync(wiql);
        }
Pangamma
  • 731
  • 12
  • 28
  • Could you please elaborate "WiQL injection protection"? Do you mean you don't want users run query with DevOps REST api? The WIQL here can only view the work items, it doesn't inject any data to database. – Cece Dong - MSFT Dec 02 '20 at 07:35
  • Any update to your issue? – Cece Dong - MSFT Dec 04 '20 at 09:19
  • Well you want a user to be able to provide a single value to the query. tenantId. Username. Etc. You don't want them to be able to specify "tenantId' or '1' = '1" and suddenly pull a huge number of entries.You know. Standard SQL injection, but this time with WiQL. @CeceDong-MSFT – Pangamma Dec 07 '20 at 07:18

2 Answers2

1

In this case I would follow the basics here , refer to OWASP Guidelines around SQL injection we can for sure adopt the following two practices .

  1. Escaping All User Supplied Input
  2. Whitelist Input Validation

Whitelist Input Validation

Legitimate inputs can be allowed in-to systems by Whitelisting them , whitelisting is generally more reliable than blacklisting since in this case the set of valid combinations is generally finite . This should be the primary defense in any case and can be combined with other Input Validation techniques.

Escaping All User Supplied Input

This technique works like this. Each system supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme , the system will not confuse the input with the WiQL code written by the developer.

Further reference on the supported escape characters can be found from here https://learn.microsoft.com/en-us/azure/devops/boards/queries/wiql-syntax?view=azure-devops

Would suggest this a further reading How to escape search strings in TFS Code Search

Soumen Mukherjee
  • 2,953
  • 3
  • 22
  • 34
1

The WIQL here can only view the work items, it doesn't inject any data to database. It's equal to create queries from the web portal or from a supported client, such as Visual Studio Team Explorer and Team Explorer Everywhere. Check the link below:

https://learn.microsoft.com/en-us/azure/devops/boards/queries/using-queries?view=azure-devops

By default, all project members and users with Stakeholder access can view and run managed queries. If you mean you don't want users run work item query with DevOps REST api. You would need to remove the user from your team project.

Cece Dong - MSFT
  • 29,631
  • 1
  • 24
  • 39
  • Okay. Assuming tenantId comes from a URL parameter. /foo/someapi?tenantId=adsasdadasdasd' or '1' = '1 Suddenly they have injected extra conditions into the query. We want to avoid that in the most secure way possible. Usually you use prepared statements. I do not see any prepared statement library here. – Pangamma Dec 07 '20 at 07:21
  • By default, all project members and users with Stakeholder access can view and run managed queries. All supported WiQL can be queried. I'm afraid you can not limit the WiQL. – Cece Dong - MSFT Dec 07 '20 at 10:28
  • Is my reply helpful? – Cece Dong - MSFT Dec 10 '20 at 09:21
  • Not really. Part of me wants to leave this question unanswered until a date in the future when they add injection protection. Or else give it to anyone who can provide a hacked together sanitization regex. – Pangamma Dec 11 '20 at 19:32
  • You may submit a feature request at website below: https://developercommunity.visualstudio.com/content/idea/post.html?space=21. – Cece Dong - MSFT Dec 14 '20 at 08:41