Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Power BI is turning 10! Let’s celebrate together with dataviz contests, interactive sessions, and giveaways. Register now.

EmanuelKakuja

SQL injection in Q&A Visual

Submitted by on ‎11-01-2021 01:48 AM

Hi everyone, 
While doing testing on one of our reports we uncovered that we can actually perform SQL injection via the Q&A visual .
You can even test this by writting 
'or 1=1--
in the Q&A visual of the Power BI sample report offered by Microsoft called "Sales and Returns sample v201912"

Is there a way to stop SQL injections from taking place via the Q&A visual ? 

Status: Investigating
See more ideas labeled with:
4 Comments (4 New)
Comments
v-chuncz-msft
Community Support
Community Support
‎11-01-2021 10:59 PM
Status changed to: Investigating
 
v-chuncz-msft
Community Support
Community Support
‎11-02-2021 12:00 AM

@EmanuelKakuja 

 

I tried the latest version to test several cases. All seem to be working fine.

EmanuelKakuja
New Member
‎11-09-2021 02:20 AM

Hellow ,

thank you for the reply . 

I am not sure what you mean by working fine . 
I am already using the latest version of desktop Version: 2.98.1004.0 64-bit (October 2021)

So, it take it that it is to be expected to be able to perform SQL injection via the Q&A visual ? ( screenshot bellow) and if so we do not have any way to prevent it ? 

I couldn't find any similar cases on the web . 
I did find a site where the user was able to perform SQL injection via Power BI parameter 
SQL Injection in Power BI Service - Michał Ćwiok (cwiok.pl)

Thank you in advance for your time and help . 

EmanuelKakuja_0-1636453017878.png

 



@v-chuncz-msft 
 

v-chuncz-msft
Community Support
Community Support
‎11-18-2021 12:54 AM

@EmanuelKakuja 

 

If user can perform SQL injection, the result would not be empty.

Idea Statuses