I have been searching the internet for WiQL injection protection guides and have not found anything yet. This is for the Azure Dev Ops (ADO) previously known as Visual Studio Team Services (VSTS) API.
For this code, how should I prevent WiQL injection? The documentation does not show anything about preventing injection attacks here. What is the advice here? Just prevent ' characters?
string projectName = "user supplied input";
string tenantId= "user supplied input";
var wiql = new Wiql()
{
Query = $@"Select [Id] From WorkItems
Where [System.TeamProject] = '{projectName}'
And [Custom.TenantId] = '{tenantId}'
Order By [State] Asc, [Changed Date] Desc"
};
// create instance of work item tracking http client
var adoUri = new Uri($"{VSTS_URL}");
using (var trackingClient = new WorkItemTrackingHttpClient(adoUri, credentials))
{
// execute the query to get the list of work items in the results
var result = await trackingClient.QueryByWiqlAsync(wiql);
}
In this case I would follow the basics here , refer to OWASP Guidelines around SQL injection we can for sure adopt the following two practices .
Whitelist Input Validation
Legitimate inputs can be allowed in-to systems by Whitelisting them , whitelisting is generally more reliable than blacklisting since in this case the set of valid combinations is generally finite . This should be the primary defense in any case and can be combined with other Input Validation techniques.
Escaping All User Supplied Input
This technique works like this. Each system supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme , the system will not confuse the input with the WiQL code written by the developer.
Further reference on the supported escape characters can be found from here https://learn.microsoft.com/en-us/azure/devops/boards/queries/wiql-syntax?view=azure-devops
Would suggest this a further reading How to escape search strings in TFS Code Search