[RSPEC-3649] Database queries should not be vulnerable to injection attacks - SonarSource

XML

Word

Printable

Details

Type: Vulnerability Detection
Status: Active
Resolution: Unresolved
Labels:
- cert
- cwe
- owasp-a1
- sans-top25-insecure
- sql

Message:
Change this code to not construct database queries directly from user-controlled data.
Highlighting:

Hide

"[varname]" is tainted (assignments and parameters)
this argument is tainted (method invocations)
the returned value is tainted (returns & method invocations results)

Show
" [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
Default Severity:
Blocker
Impact:
High
Likelihood:
High
Default Quality Profiles:

Sonar way
Covered Languages:

C#, Java, JavaScript, PHP, Python, TypeScript
Irrelevant for Languages:

CSS, HTML
Remediation Function:
Constant/Issue
Constant Cost:
30min
Analysis Level:

Abstract Interpretation
Analysis Scope:

Main Sources
Common Rule:

Yes

CERT:
IDS00-J.
CWE:
CWE-89, CWE-564, CWE-20, CWE-943
OWASP:
A1
SANS Top 25:
Insecure Interaction Between Components

FindBugs:
SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
FindSecBugs:
SQL_INJECTION, SQL_INJECTION_HIBERNATE, SQL_INJECTION_JDO, SQL_INJECTION_JPA
FxCop:
ReviewSqlQueriesForSecurityVulnerabilities, CA2100

Description

User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands.

Typically, the solution is to use prepared statements and to bind variables to SQL query parameters with dedicated methods like setParameter, which ensures that user provided data will be properly escaped. Another solution is to validate every parameter used to build the query. This can be achieved by transforming string values to primitive types or by validating them against a white list of accepted values.

See

OWASP SQL Injection Prevention Cheat Sheet
OWASP Top 10 2017 Category A1 - Injection
MITRE, CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
MITRE, CWE-20 - Improper Input Validation
MITRE, CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
CERT, IDS00-J. - Prevent SQL injection
SANS Top 25 - Insecure Interaction Between Components

Attachments

Issue Links

is related to

RSPEC-2077 Formatting SQL queries is security-sensitive

Active

Options

Progress

Sub-Tasks

1.	C#	RSPEC-4073	Active	Unassigned
2.	Java	RSPEC-5129	Active	Unassigned
3.	PHP	RSPEC-5130	Active	Unassigned
4.	Python	RSPEC-5537	Active	Unassigned
5.	JavaScript	RSPEC-6051	Active	Unassigned

Activity

People

Assignee:: Unassigned

Reporter:: Ann Campbell

Votes:: 1 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 17/Jun/16 2:07 PM

Updated:: 28/May/21 5:48 PM