Avoiding SQL injection in Azure DocumentDB Stored Procedures

Question

How can I avoid sql injection Azure DocumentDB stored procedures?

Apart from sanitizing the input (whitelisted characters) what's the best practice here?

Take for example the following stored procedure adapted from the MSDN example:

function simple_sp(s1) {
   var context = getContext();
   var collection = context.getCollection();
   var response = context.getResponse();

   collection.queryDocuments(collection.getSelfLink(), 
      'SELECT * FROM Families f where f.id  = "' + s1 + '"', {}, 
      function(res){}
   );
}

That s1 parameter is a standard example injecting sql into the query. So far I have not found a way to parametrize the query either.

Answer 1

Update:

Happy to say that as of 1/14/15 - DocumentDB does support SQL parameterization. Support has been added across the .NET, Java, Node.js, and Python SDKs, as well as the REST API. Enjoy =)

Here's an example using the .NET SDK:

IQueryable<Book> queryable = client.CreateDocumentQuery<Book>(collectionSelfLink, new SqlQuerySpec { 
                    QueryText = "SELECT * FROM books b WHERE (b.Author.Name = @name)", 
                    Parameters = new SqlParameterCollection()  { 
                          new SqlParameter("@name", "Herman Melville") 
                     } 
});

Original Answer

DocumentDB does not support SQL parametrization yet... so you will want to sanitize your inputs to avoid unintentional exposure of data on reads (e.g. for multi-tenant applications).

That being said... the DocumentDB SQL injection attack surface area is fairly limited - as DocumentDB SQL only supports read-only queries. In other words, you do not have to worry about unintentional writes/updates/deletes in the context of DocumentDB and SQL Injection.