tags:

views:

308

answers:

3
+1  Q: 

Injection safe call to IAxaptaRecord.ExecuteStmt()

Is there an injection safe way to call via the axpata business connector

string salesId = someObject.Text;

IAxaptaRecord salesLine = ax.CreateRecord("SalesLine");
salesLine.ExecuteStmt("select * from %1 where %1.SalesId == '" + salesId + "'");

If someObject.Text is set to the following, i am then vulnerable to x++ code injection:

"SomeSalesOrder' || %1.SalesId == 'SomeOtherOrder"

Is there a way to parametrize the query, or would it be better to write all of the data access code directly in x++, and then call that from COM?

A: 

you should do a replace on ' to \' e.g.

string salesId = someObject.Text.Replace("'", "\\'");
Luke Schafer  2009-05-18 04:14:14
I am looking for a parametrization method handled by the framework to handle all edge cases, not just the example I gave
holz  2009-05-18 04:52:44
You could create an extension method for IAxaptaRecord that is something like 'ExecuteParametizedStmt(string query, params object[])this would accept the query in a format expected by string.Format and build it that way, after performing the required work on the variables (such as escaping)
Luke Schafer  2009-05-20 00:12:32
The whole issue is handling escaping correctly. If the query was "select * from %1.Id == {0}" (where {0} should be an int), and then "42 || 1 == 1" is passed in, injection will still occur after I have escaped it with the method you gave.I don't know all of the edge cases of x++ injection here, so i don't want to write my own escaping method. Because if I do, chances are I would miss something, and I would only find out about it after it is too late. This is for a public facing web app with lots of confidential information, so i need to be 100% that there is no risk of injection.
holz  2009-05-20 12:04:42
By default simple queries use placeholders, but if you want to be 100% sure you should use the ForcePlaceholders keyword for joined queries. This is the X++ way to write parametrized queries. You can also take a look at the "Microsoft Dynamics AX Server Configuration Utility" where you can configure the default behavior for complex queries.
Velislav Marinov  2009-09-16 09:34:32
+1  A: 

There is no way to be sure you have covered all cases ...

Using ExecuteStmt is most likely the wrong approach. You should write your select or whatever in an Axapta method (with parameters) then call that method.

Jan B. Kjeldsen  2009-05-18 07:13:32
Given you don't use literals, the default behaviour for simple queries is to use placeholders (parametrized queries), which is considered safe. For complex queries (joins) the only way to be sure is to use the ForcePlaceholders hint in joins.
Velislav Marinov  2009-09-16 09:52:17
A: 

Holz,

You can use parametrized SELECT statements with the forcePlaceholder keyword. This is the default behavior in X++, but since this behavior can be overriden for complex joins, it's good idea to implicitly specify the forcePlaceholder hint.

As parametrized SELECTs impose some additional overhead, and don't allow optimiziation on the actual values of the parameters, you may want to consider using views, or axapta queries instead.

Regards, Velislav Marinov

Velislav Marinov  2009-05-18 20:36:33
`forceplaceholders` will not solve the problem stated in the question.The use of literals in X++ as values do not pose a problem, as values are quoted by the kernel.
Jan B. Kjeldsen  2009-09-11 06:48:43
You are wrong. ForcePlaceholders creates parametrized query, while ForceLiterals is vulnerable to SQL injection. Check the security whitepaper by MS.
Velislav Marinov  2009-09-16 08:44:19
Security white paper: http://download.microsoft.com/download/b/6/e/b6e77418-cde2-4ed4-a920-60d7f2d17757/Microsoft%20Dynamics%20AX%20Writing%20Secure%20X++%20Code.docThe question was about the use of direct SQL through the Business Connector, which is a bad thing.The `forceliterals`/`forceplaceholders` is another issue. Forceliteral is an issue if the kernel quoting can be circumvented, which may be difficult to disprove.
Jan B. Kjeldsen  2009-09-24 08:54:24
I agree that using direct sql is bad no matter whether through the BC or not. Your advice, which I support, was to use X++ methods, and my addition to that, was that the 'ForceLiterals' hint is vulnerable to SQL injection. My comment was based on the following recommendations from the same security paper: •Use safer alternatives for executing SQL: for example, use the Query class, Views, or X++ Select statements.•Do not use the forceLiterals keyword in X++ Select statements.•Do not set Query.literals(true).
Velislav Marinov  2009-09-27 18:58:15

related questions

How can I execute custom code when the AOT Service Starts on the Server in MS Dynamics AX?
Axapta/DynamicsAx: UTC datetime conversion
Installing Dynamics AX 4.0 SP2 on SQL Server 2008
Dynamics AX: How can corrected tax be coded in the Invoicing Input / Update of Purchase Orders - Posting Function?
Dynamics AX: How can I open a docuview document attached to a Purchase Requisition from a Purchase Order?
How do you empty an array in Axapta 3.0
Sending email via Axapta
Nested notExists joins X++ (Dynamics AX3.0)
Freeze one or more grid columns
Master/detail form in Axapta/Dynamics Ax
Range on integer fields in Axapta/Dynamics Ax
Filtering on linked table in Axapta/Dynamics Ax
How can I add more information to MS Dynamics 2009 AX's alert messages with X++ ?
SVN with Axapta
AX / Axapta: Retrive Custom fields via SQL
Microsoft AX and Business Connector / Enterprise Portal / Application Integration Framework
How can you make the footer axapta reporting tool print at the bottom of the page?
What is the best way to print columns from different tables on the same row using the Axapta reporting tool?
MS Dynamics AX / AXAPTA - Where is the code that prevents reprint of payment advices of unposted cheques?
How do I get the previous field value in the modifiedField method of a Dynamic Ax table?
Page breaks in Dynamic Ax Reports
How can I identify an Axapta class Name from the class ID?
How to create an X++ batch job in Axapta 3.0?
How can you scan an image with X++