Details
-
Type:
Vulnerability Detection
-
Status: Active
-
Resolution: Unresolved
-
Labels:
-
Message:Change this code to not construct database queries directly from user-controlled data.
-
Highlighting:
-
Default Severity:Blocker
-
Impact:High
-
Likelihood:High
-
Default Quality Profiles:Sonar way
-
Covered Languages:C#, Java, JavaScript, PHP, Python, TypeScript
-
Irrelevant for Languages:CSS, HTML
-
Remediation Function:Constant/Issue
-
Constant Cost:30min
-
Analysis Level:Abstract Interpretation
-
Analysis Scope:Main Sources
-
Common Rule:Yes
-
CERT:IDS00-J.
-
CWE:CWE-89, CWE-564, CWE-20, CWE-943
-
OWASP:A1
-
SANS Top 25:Insecure Interaction Between Components
-
FindBugs:SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE, SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING
-
FindSecBugs:SQL_INJECTION, SQL_INJECTION_HIBERNATE, SQL_INJECTION_JDO, SQL_INJECTION_JPA
-
FxCop:ReviewSqlQueriesForSecurityVulnerabilities, CA2100
Description
User provided data, such as URL parameters, should always be considered untrusted and tainted. Constructing SQL queries directly from tainted data enables attackers to inject specially crafted values that change the initial meaning of the query itself. Successful database query injection attacks can read, modify, or delete sensitive information from the database and sometimes even shut it down or execute arbitrary operating system commands.
Typically, the solution is to use prepared statements and to bind variables to SQL query parameters with dedicated methods like setParameter, which ensures that user provided data will be properly escaped. Another solution is to validate every parameter used to build the query. This can be achieved by transforming string values to primitive types or by validating them against a white list of accepted values.
See
- OWASP SQL Injection Prevention Cheat Sheet
- OWASP Top 10 2017 Category A1 - Injection
- MITRE, CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
- MITRE, CWE-20 - Improper Input Validation
- MITRE, CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
- CERT, IDS00-J. - Prevent SQL injection
- SANS Top 25 - Insecure Interaction Between Components
Attachments
Issue Links
- is related to
-
RSPEC-2077 Formatting SQL queries is security-sensitive
- Active
1.
|
C# | RSPEC-4073 |
|
Active | Unassigned | |
2.
|
Java | RSPEC-5129 |
|
Active | Unassigned | |
3.
|
PHP | RSPEC-5130 |
|
Active | Unassigned | |
4.
|
Python | RSPEC-5537 |
|
Active | Unassigned | |
5.
|
JavaScript | RSPEC-6051 |
|
Active | Unassigned |