Answered by:
How to prevent FetchXML injection attacks

Question
-
How can one execute a FetchXML query with parameters and prevent an injection attack from occurring when executing the query using the CRM SDK? For example, MSDN documentation at https://msdn.microsoft.com/en-us/library/gg328117.aspx shows this code:
string fetch2 = @" <fetch mapping='logical'> <entity name='account'> <attribute name='accountid'/> <attribute name='name'/> <link-entity name='systemuser' to='owninguser'> <filter type='and'> <condition attribute='lastname' operator='ne' value='Cannon' /> </filter> </link-entity> </entity> </fetch> ";
If one wanted to make the lastname attribute in the condition a parameter, how can this be done safely? I consider anything that takes a value and embeds this into the XML string using string formatting an invalid solution that is prone to changing the query semantics and could result in a different query being performed than intended.
- Edited by Alan.M Friday, June 26, 2015 4:17 PM
Friday, June 26, 2015 4:14 PM
Answers
-
Do you think the .NET SecurityElement.Escape method will cover all escaping necessary? Unlike the MSDN example code, I would also instead use double quotes in the FetchXML instead of single quotes to benefit from this method and not worry about handling ' characters.
- Marked as answer by Alan.M Wednesday, March 15, 2017 12:19 AM
Friday, June 26, 2015 5:36 PM -
SecurityElement.Escape does in fact cover single and double quotation marks, see the remarks section of the linked MSDN documentation and rows 3 and 4 in the table.
- Marked as answer by Alan.M Wednesday, March 15, 2017 12:20 AM
Friday, June 26, 2015 6:43 PM
All replies
-
Interesting question, I think that sanitize the string for ' characters will be enough, however I will switch to QueryExpression if this is a relevant issue in your implementation.
My blog: www.crmanswers.net - CRM Theme Generator
Friday, June 26, 2015 4:30 PM -
Input escaping it is then, unfortunately, thanks.
Friday, June 26, 2015 5:12 PM -
Do you think the .NET SecurityElement.Escape method will cover all escaping necessary? Unlike the MSDN example code, I would also instead use double quotes in the FetchXML instead of single quotes to benefit from this method and not worry about handling ' characters.
- Marked as answer by Alan.M Wednesday, March 15, 2017 12:19 AM
Friday, June 26, 2015 5:36 PM -
SecurityElement.Escape doesn't cover single or double quotation marks.
If you need single or double quotation mark depends how you build your fetchxml, usually in C# single quotation is used so it's not necessary to escape the double quotation due to C# syntax.
My blog: www.crmanswers.net - CRM Theme Generator
Friday, June 26, 2015 6:02 PM -
SecurityElement.Escape does in fact cover single and double quotation marks, see the remarks section of the linked MSDN documentation and rows 3 and 4 in the table.
- Marked as answer by Alan.M Wednesday, March 15, 2017 12:20 AM
Friday, June 26, 2015 6:43 PM -
Sorry, my mistake, I quickly checked the table and I confused that rows with the \ symbol.
My blog: www.crmanswers.net - CRM Theme Generator
Friday, June 26, 2015 7:05 PM