Is a SQL Injection Attack Possible in QLDB/PartiQL

Question

This question came up in a code review in reference to a select query that is necessarily constructed using string interpolation (C#) and I can't seem to find a reference one way or the other. For example, a query might look something like:

var sql = "SELECT * FROM {someTable} WHERE {indexedField} = ?";

Because of the use of a param in the WHERE clause, I think this should be safe either way; however, it would be nice to have confirmation. A couple of unsophisticated attempts suggest that, even if an injection were attempted and the query ended up looking something like this

Select * from SomeTable; SELECT * FROM SomeOtherTable Where IndexedField = "1"

the engine would still error out on trying to run multiple queries.

This is a fair point that I hadn't considered, though it seems that UNION is still incomplete in the PartiQL Spec (and, given the date on the doc, may in fact be out of date itself). — Sobi-Wan Kenobi, Jun 01 '21 at 03:37

score 1 · Answer 1 · answered Jun 09 '21 at 22:31

Injections like Select * from SomeTable; SELECT * FROM SomeOtherTable Where IndexedField = "1" would indeed error out because QLDB driver requires one txn.Execute() per query.

To reduce the risk of an injection, I would recommend:

sanitizing string interpolation to reject potentially malicious parameters
leveraging the QLDB feature that allows separation of access by PartiQL command and ledger table using IAM policies, https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-qldb-supports-iam-based-access-policy-for-partiql-queries-and-ledger-tables/

For the second option, you can define permissions for certain table to reject unwanted access in case of an injection attempt.

score 0 · Answer 2 · answered May 25 '21 at 19:29

0

Any particular reason string interpolation is required?

https://docs.aws.amazon.com/qldb/latest/developerguide/driver-quickstart-dotnet.html#driver-quickstart-dotnet.step-5 using parameter probably would best help prevent against sql injection.

answered May 25 '21 at 19:29

Ethan Yang

31
2

I am definitely using parameters in the query for the data values. However, where my issue comes up, is that I am dynamically naming the columns based on an object, so there is no better way I can think of *right now* other than string interpolation to build out the SQL itself. Appreciate the response! – Sobi-Wan Kenobi Jun 01 '21 at 03:42
As long as user input doesn't directly touch the interpolation, you should be fine. Is it possible to create a map between the user and the query, i.e. a => A, b => B, etc., so when user enters b, program looks up in b key in map and then uses B for column? – Grant Moore Jun 23 '22 at 19:07

Is a SQL Injection Attack Possible in QLDB/PartiQL

2 Answers2