Is a SQL Injection Attack Possible in QLDB/PartiQL

Question

This question came up in a code review in reference to a select query that is necessarily constructed using string interpolation (C#) and I can't seem to find a reference one way or the other. For example, a query might look something like:

var sql = "SELECT * FROM {someTable} WHERE {indexedField} = ?";

Because of the use of a param in the WHERE clause, I think this should be safe either way; however, it would be nice to have confirmation. A couple of unsophisticated attempts suggest that, even if an injection were attempted and the query ended up looking something like this

Select * from SomeTable; SELECT * FROM SomeOtherTable Where IndexedField = "1"

the engine would still error out on trying to run multiple queries.

Answer 1

Any particular reason string interpolation is required?

https://docs.aws.amazon.com/qldb/latest/developerguide/driver-quickstart-dotnet.html#driver-quickstart-dotnet.step-5 using parameter probably would best help prevent against sql injection.

Answer 2

Injections like Select * from SomeTable; SELECT * FROM SomeOtherTable Where IndexedField = "1" would indeed error out because QLDB driver requires one txn.Execute() per query.

To reduce the risk of an injection, I would recommend:

• sanitizing string interpolation to reject potentially malicious parameters
• leveraging the QLDB feature that allows separation of access by PartiQL command and ledger table using IAM policies, https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-qldb-supports-iam-based-access-policy-for-partiql-queries-and-ledger-tables/

For the second option, you can define permissions for certain table to reject unwanted access in case of an injection attempt.