Skip to content

[Bug Report] Query API Lacks Parameterization, Enabling SQL Injection #3512

Description

@pregress

Summary
The IoT Hub C# SDK does not provide a mechanism for parameterized queries. Query strings must be built by hand, typically through string interpolation or concatenation. When any part of the query is derived from user input or an external source, this opens the door to SQL injection attacks against the IoT Hub query API. Although no data can be altered, this can be used for data exfiltration.

Steps to Reproduce

  1. Use the RegistryManager to run a query where a value comes from user input:
string userInput = "ModelX' OR '1'='1"; // malicious input
string query = $"SELECT * FROM devices WHERE tags.model = '{userInput}'";
var result = registryManager.CreateQuery(query);
  1. Observe that the injected payload is executed as part of the query rather than treated as a literal string value.
  2. Note that the SDK provides no alternative — there is no overload accepting parameters, no placeholder syntax, and no escaping utility.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions