1

I'm using Serilog.Expressions (3.4.0) to try to filter SQL injection attacks appearing in the query string. I've enriched the log event with the query string as a dictionary. It appears in my output as:

QueryString: {
    someKey: "UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL#"
}

I can successfully filter by specifying the key:

QueryString['someKey'] like '%UNION ALL SELECT%' ci

However, if I change the index to the "any" wildcard, the expression no longer matches the log event:

QueryString[?] like '%UNION ALL SELECT%' ci

Am I doing something wrong, or is this not supported?

hobwell
  • 538
  • 1
  • 8
  • 26
  • This turned out to be a bug in SeriLog Expressions and has been fixed. https://github.com/serilog/serilog-expressions/issues/76 – hobwell Jan 20 '23 at 19:51

0 Answers0