Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2077

Formatting SQL queries is security-sensitive

    XMLWordPrintable

    Details

    • Message:
      Make sure using a dynamically formatted SQL query is safe here.
    • Highlighting:
      Hide
      • Primary: on the sql query call
      • Secondary: on each assignment / format of the query
        • message when formatting: "SQL Query is dynamically formatted and assigned to {variable_name}"
        • message for an assignment: "SQL query is assigned to {variable_name}"
      Show
      Primary: on the sql query call Secondary: on each assignment / format of the query message when formatting: "SQL Query is dynamically formatted and assigned to {variable_name}" message for an assignment: "SQL query is assigned to {variable_name}"
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#, Java, JavaScript, PHP, Python, TypeScript, VB.Net
    • Irrelevant for Languages:
      CSS, HTML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      20min
    • Analysis Scope:
      Main Sources
    • CERT:
      IDS00-J.
    • CWE:
      CWE-564, CWE-89, CWE-20, CWE-943
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindBugs:
      SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
    • FindSecBugs:
      SQL_INJECTION_HIBERNATE, SQL_INJECTION_JDO, SQL_INJECTION_JPA
    • FxCop:
      ReviewSqlQueriesForSecurityVulnerabilities,CA3001

      Description

      Formatted SQL queries can be difficult to maintain, debug and can increase the risk of SQL injection when concatenating untrusted values into the query. However, this rule doesn't detect SQL injections (unlike rule s3649), the goal is only to highlight complex/formatted queries.

      Ask Yourself Whether

      • Some parts of the query come from untrusted values (like user inputs).
      • The query is repeated/duplicated in other parts of the code.
      • The application must support different types of relational databases.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      See

        Attachments

          Issue Links

          1.
          Java RSPEC-2779 Language-Specification Active Nicolas Harraudeau (Inactive)
          2.
          PHP RSPEC-3284 Language-Specification Active Nicolas Harraudeau (Inactive)
          3.
          PL/SQL RSPEC-3648 Language-Specification Active Unassigned
          4.
          C# RSPEC-4873 Language-Specification Active Unassigned
          5.
          VB.NET RSPEC-5004 Language-Specification Active Unassigned
          6.
          JavaScript RSPEC-5082 Language-Specification Active Unassigned
          7.
          Python RSPEC-5223 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              nicolas.harraudeau Nicolas Harraudeau (Inactive)
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              1 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated: