Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-3649

Database queries should not be vulnerable to injection attacks

    XMLWordPrintable

    Details

    • Message:
      Change this code to not construct database queries directly from user-controlled data.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Covered Languages:
      C#, Java, JavaScript, PHP, Python, TypeScript
    • Irrelevant for Languages:
      CSS, HTML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CERT:
      IDS00-J.
    • CWE:
      CWE-89, CWE-564, CWE-20, CWE-943
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components
    • FindBugs:
      SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
    • FindSecBugs:
      SQL_INJECTION, SQL_INJECTION_HIBERNATE, SQL_INJECTION_JDO, SQL_INJECTION_JPA
    • FxCop:
      ReviewSqlQueriesForSecurityVulnerabilities, CA2100

      Description

      User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands.

      Typically, the solution is to use prepared statements and to bind variables to SQL query parameters with dedicated methods like setParameter, which ensures that user provided data will be properly escaped. Another solution is to validate every parameter used to build the query. This can be achieved by transforming string values to primitive types or by validating them against a white list of accepted values.

      See

        Attachments

          Issue Links

          1.
          C# RSPEC-4073 Language-Specification Active Unassigned
          2.
          Java RSPEC-5129 Language-Specification Active Unassigned
          3.
          PHP RSPEC-5130 Language-Specification Active Unassigned
          4.
          Python RSPEC-5537 Language-Specification Active Unassigned
          5.
          JavaScript RSPEC-6051 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              ann.campbell.2 Ann Campbell
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated: