locked
How to prevent FetchXML injection attacks RRS feed

  • Question

  • How can one execute a FetchXML query with parameters and prevent an injection attack from occurring when executing the query using the CRM SDK? For example, MSDN documentation at https://msdn.microsoft.com/en-us/library/gg328117.aspx shows this code:

    string fetch2 = @"
       <fetch mapping='logical'>
         <entity name='account'> 
            <attribute name='accountid'/> 
            <attribute name='name'/> 
            <link-entity name='systemuser' to='owninguser'> 
               <filter type='and'> 
                  <condition attribute='lastname' operator='ne' value='Cannon' /> 
               </filter> 
            </link-entity> 
         </entity> 
       </fetch> "; 

    If one wanted to make the lastname attribute in the condition a parameter, how can this be done safely? I consider anything that takes a value and embeds this into the XML string using string formatting an invalid solution that is prone to changing the query semantics and could result in a different query being performed than intended.

    • Edited by Alan.M Friday, June 26, 2015 4:17 PM
    Friday, June 26, 2015 4:14 PM

Answers

  • Do you think the .NET SecurityElement.Escape method will cover all escaping necessary? Unlike the MSDN example code, I would also instead use double quotes in the FetchXML instead of single quotes to benefit from this method and not worry about handling ' characters.

    • Marked as answer by Alan.M Wednesday, March 15, 2017 12:19 AM
    Friday, June 26, 2015 5:36 PM
  • SecurityElement.Escape does in fact cover single and double quotation marks, see the remarks section of the linked MSDN documentation and rows 3 and 4 in the table.
    • Marked as answer by Alan.M Wednesday, March 15, 2017 12:20 AM
    Friday, June 26, 2015 6:43 PM

All replies

  • Interesting question, I think that sanitize the string for ' characters will be enough, however I will switch to QueryExpression if this is a relevant issue in your implementation.

    My blog: www.crmanswers.net - CRM Theme Generator

    • Marked as answer by Alan.M Friday, June 26, 2015 5:13 PM
    • Unmarked as answer by Alan.M Wednesday, March 15, 2017 12:19 AM
    Friday, June 26, 2015 4:30 PM
  • Input escaping it is then, unfortunately, thanks.

    Friday, June 26, 2015 5:12 PM
  • Do you think the .NET SecurityElement.Escape method will cover all escaping necessary? Unlike the MSDN example code, I would also instead use double quotes in the FetchXML instead of single quotes to benefit from this method and not worry about handling ' characters.

    • Marked as answer by Alan.M Wednesday, March 15, 2017 12:19 AM
    Friday, June 26, 2015 5:36 PM
  • SecurityElement.Escape doesn't cover single or double quotation marks.

    If you need single or double quotation mark depends how you build your fetchxml, usually in C# single quotation is used so it's not necessary to escape the double quotation due to C# syntax.


    My blog: www.crmanswers.net - CRM Theme Generator

    Friday, June 26, 2015 6:02 PM
  • SecurityElement.Escape does in fact cover single and double quotation marks, see the remarks section of the linked MSDN documentation and rows 3 and 4 in the table.
    • Marked as answer by Alan.M Wednesday, March 15, 2017 12:20 AM
    Friday, June 26, 2015 6:43 PM
  • Sorry, my mistake, I quickly checked the table and I confused that rows with the \ symbol.

    My blog: www.crmanswers.net - CRM Theme Generator

    Friday, June 26, 2015 7:05 PM