Skip to content

Session Context Bug fix#3724

Open
RubenCerna2079 wants to merge 8 commits into
mainfrom
dev/rubencerna/fix-session-context-insertion-bug
Open

Session Context Bug fix#3724
RubenCerna2079 wants to merge 8 commits into
mainfrom
dev/rubencerna/fix-session-context-insertion-bug

Conversation

@RubenCerna2079

@RubenCerna2079 RubenCerna2079 commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Why make this change?

Solves bug related to how we handle specific queries with session-context.

What is this change?

  • Sets the claims inside the X-MS-CLIENT-PRINCIPAL header as parameters before using them inside of a query.

How was this tested?

  • Integration Tests
  • Unit Tests

Added test that ensures that invalid queries are not run through headers with session context.

Sample Request(s)

N/A

@RubenCerna2079 RubenCerna2079 changed the title Bug fix Session Context Bug fix Jul 15, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to fix a SQL Server session-context vulnerability/bug by ensuring user-claim keys used with sp_set_session_context are parameterized (instead of being embedded as a string literal), and it adds a unit test intended to guard against regressions.

Changes:

  • Parameterize the @key argument passed to sp_set_session_context in MsSqlQueryExecutor.GetSessionParamsQuery.
  • Add a new EasyAuth unit test intended to ensure “invalid query” content in the EasyAuth header does not cause unintended database side-effects.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/Core/Resolvers/MsSqlQueryExecutor.cs Parameterizes session-context keys to avoid claim-type string injection into sp_set_session_context.
src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs Adds a test intended to validate that malicious EasyAuth header content does not lead to unintended behavior/side-effects.

Comment thread src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs Outdated
Comment thread src/Core/Resolvers/MsSqlQueryExecutor.cs
Comment thread src/Service.Tests/Authentication/EasyAuthAuthenticationUnitTests.cs Outdated
@github-project-automation github-project-automation Bot moved this from Todo to Review In Progress in Data API builder Jul 15, 2026
…ncerna/fix-session-context-insertion-bug' into dev/rubencerna/fix-session-context-insertion-bug
""auth_typ"":""aad"",
""claims"":[
{
""typ"":""x', N'v';SET IDENTITY_INSERT authors ON;INSERT INTO authors (id, name, birthdate) VALUES (10001, 'Hidden Author', '2001-01-01');SET IDENTITY_INSERT authors OFF;SELECT 1 AS inserted FOR JSON PATH, WITHOUT_ARRAY_WRAPPER;--"",

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why did we remove SET IDENTITY_INSERT authors on? IF the query has to succeed, this should be on.

The test should check that query fails due to failed injection, and not due to other reasons. If the query starts failing because of removing SET IDENTITY_INSERT, we are not verifying whether injection is succeeding or failing.

@souvikghosh04 souvikghosh04 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Please address the comments.

}

/// <summary>
/// Tests we ensure that an invalid query in the EasyAuth header does not result in a successful request.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the summary says the invalid query "does not result in a successful request," but the test asserts the first request is successful (HttpStatusCode.OK at line 1638). is the actual intent is "the injected SQL does not execute"? if that's the case may be update the doc summary

Comment on lines +1628 to +1629
File.WriteAllText(SESSION_CONFIG, updatedConfig.ToJson());

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggesstion- cleanup the File created as part of TestCleanup

/// <summary>
/// Tests we ensure that an invalid query in the EasyAuth header does not result in a successful request.
/// </summary>
[TestCategory(TestCategory.MSSQL)]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this actually a Unit test or a SQL integration test? If its an integration test does it only apply to MSSQL?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

Status: Review In Progress

Development

Successfully merging this pull request may close these issues.

4 participants