如何防止Azure表注入?

时间:2015-07-29 13:37:29

标签: azure security sql-injection

是否有一般方法可以防止天蓝色储存注入。

如果查询包含用户输入的字符串,例如他的名字。然后可以做一些注射,如:jan +'或PartitionKey eq' kees。 这将使用partitionKey kees获取对象jan和对象。

一个选项是URLEncoding。在这种情况下'和"编码。并且上述注射不再可能。

这是最好的选择还是有更好的选择?

1 个答案:

答案 0 :(得分:0)

根据我的经验,我意识到有两种通用方法可以防止azure存储表注入。 一个是用另一个字符串替换字符串',如; ,“或URLEncode字符串'。这是你的选择。 另一种是使用普通内容的编程格式(例如Base64)的存储表密钥。

这是我的测试Java程序,如下所示:

import org.apache.commons.codec.binary.Base64;

import com.microsoft.azure.storage.CloudStorageAccount;
import com.microsoft.azure.storage.table.CloudTable;
import com.microsoft.azure.storage.table.CloudTableClient;
import com.microsoft.azure.storage.table.TableOperation;
import com.microsoft.azure.storage.table.TableQuery;
import com.microsoft.azure.storage.table.TableQuery.QueryComparisons;

public class TableInjectTest {

    private static final String storageConnectString = "DefaultEndpointsProtocol=http;" + "AccountName=<ACCOUNT_NAME>;"
            + "AccountKey=<ACCOUNT_KEY>";

    public static void reproduce(String query) {
        try {
            CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectString);
            CloudTableClient tableClient = storageAccount.createCloudTableClient();
            // Create table if not exist.
            String tableName = "people";
            CloudTable cloudTable = new CloudTable(tableName, tableClient);
            final String PARTITION_KEY = "PartitionKey";
            String partitionFilter = TableQuery.generateFilterCondition(PARTITION_KEY, QueryComparisons.EQUAL, query);
            System.out.println(partitionFilter);
            TableQuery<CustomerEntity> rangeQuery = TableQuery.from(CustomerEntity.class).where(partitionFilter);
            for (CustomerEntity entity : cloudTable.execute(rangeQuery)) {
                System.out.println(entity.getPartitionKey() + " " + entity.getRowKey() + "\t" + entity.getEmail() + "\t"
                        + entity.getPhoneNumber());
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /*
     * The one way is replace ' with other symbol string
     */
    public static String preventByReplace(String query, String symbol) {
        return query.replaceAll("'", symbol);
    }

    public static void addEntityByBase64PartitionKey() {
        try {
            CloudStorageAccount storageAccount = CloudStorageAccount.parse(storageConnectString);
            CloudTableClient tableClient = storageAccount.createCloudTableClient();
            // Create table if not exist.
            String tableName = "people";
            CloudTable cloudTable = new CloudTable(tableName, tableClient);
            String partitionKey = Base64.encodeBase64String("Smith".getBytes());
            CustomerEntity customer = new CustomerEntity(partitionKey, "Will");
            customer.setEmail("will-smith@contoso.com");
            customer.setPhoneNumber("400800600");
            TableOperation insertCustomer = TableOperation.insertOrReplace(customer);
            cloudTable.execute(insertCustomer);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    // The other way is store PartitionKey using encoding format such as Base64
    public static String preventByEncodeBase64(String query) {
        return Base64.encodeBase64String(query.getBytes());
    }

    public static void main(String[] args) {
        String queryNormal = "Smith";
        reproduce(queryNormal);
        /*
         * Output as follows:
         * PartitionKey eq 'Smith'
         * Smith Ben    Ben@contoso.com 425-555-0102
         * Smith Denise Denise@contoso.com  425-555-0103
         * Smith Jeff   Jeff@contoso.com    425-555-0105
         */
        String queryInjection = "Smith' or PartitionKey lt 'Z";
        reproduce(queryInjection);
        /*
         * Output as follows:
         * PartitionKey eq 'Smith' or PartitionKey lt 'Z'
         * Webber Peter Peter@contoso.com   425-555-0101             <= This is my information
         * Smith Ben    Ben@contoso.com 425-555-0102
         * Smith Denise Denise@contoso.com  425-555-0103
         * Smith Jeff   Jeff@contoso.com    425-555-0105
         */
        reproduce(preventByReplace(queryNormal, "\"")); // The result same as queryNormal
        reproduce(preventByReplace(queryInjection, "\"")); // None result, because the query string is """PartitionKey eq 'Smith" or PartitionKey lt "Z'"""
        reproduce(preventByReplace(queryNormal, "&")); // The result same as queryNormal
        reproduce(preventByReplace(queryInjection, "&")); // None result, because the query string is """PartitionKey eq 'Smith& or PartitionKey lt &Z'"""
        /*
         * The second prevent way
         */
        addEntityByBase64PartitionKey(); // Will Smith
        reproduce(preventByEncodeBase64(queryNormal));
        /*
         * Output as follows:
         * PartitionKey eq 'U21pdGg='
         * U21pdGg= Will    will-smith@contoso.com  400800600     <= The Base64 string can be decoded to "Smith"
         */
        reproduce(preventByEncodeBase64(queryInjection)); //None result
        /*
         * Output as follows:
         * PartitionKey eq 'U21pdGgnIG9yIFBhcnRpdGlvbktleSBsdCAnWg=='
         */
    }

}

我认为最好的选择是根据应用程序选择一种合适的方法来阻止查询注入。

如有任何疑虑,请随时告诉我。

相关问题
最新问题