Using the Dynamic LINQ library (link), is it vulnerable to injection? and (if so) how can this be protected against?
Some background from Security Considerations (Entity Framework):
LINQ to Entities injection attacks:
Although query composition is possible in LINQ to Entities, it is performed through the object model API. Unlike Entity SQL queries, LINQ to Entities queries are not composed by using string manipulation or concatenation, and they are not susceptible to traditional SQL injection attacks.
Since Dynamic SQL is composed using strings does that mean that it might be susceptible to injection vectors? Or will LINQ to SQL automatically take care of parametrizing your values based on the underlying datatype within the Dynamic LINQ library?
Or is it entirely safe since the dynamic query will be performed in memory rather than against the SQL (thereby negating any benefits from SQL indexes)?
I have been working through understanding the DynamicLibrary.cs
code but I'm sure I could be easily overlooking something.
As this question is about the Dynamic LINQ Library itself, this question can be considered to apply to both linq-to-sql
and linq-to-entities
(despite above reference to Entity Framework).