Query Parameters with KQL
I found myself with the need to query a Kusto database from within a DotNet application. This got me thinking about what are some of the best ways to construct a query, especially when using data from a user as parameters.
In my case, the user parameter is coming from a config file. The application I wrote is a background task that reads 2 date/time ranges from the config to be included in the KQL query. I saw this as a vulnerability vector that could allow a malicious user to craft a payload that can be used as a parameter. To neuter this risk, I wanted to be able to sanitize the parameter before being used in the query.
The best option I was able to find was Kusto Query Parameters. From the documentation, it states that when using query parameter, “internally, they generate the appropriate literal of the query language and send it as a string through the REST API”.
Query parameter have to be declared before the can be use. After the declaration, the literal can be used within the query. The parameter will have to be supplied through ClientRequestProperties for it to be included in the query.
Here is my attempt before using query parameter. I construct the query with string extrapolation of the variables that I want included.
Here is the final approach with using query parameters.
In the case where a argument is passed that does not meet the datatype requirement of the query parameter, a SemanticException is thrown.
By sanitizing the user input, you make it harder for Murphy to intervene.
