Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5147

NoSQL operations should not be vulnerable to injection attacks

    Details

    • Message:
      Refactor this code to not perform database operations based on tainted, user-controlled data.
    • Highlighting:
      Hide

      "[varname]" is tainted (assignments and parameters)
      this argument is tainted (method invocations)
      the returned value is tainted (returns & method invocations results)

      Show
      " [varname] " is tainted (assignments and parameters) this argument is tainted (method invocations) the returned value is tainted (returns & method invocations results)
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      C#, Java, PHP
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      30min
    • Analysis Level:
      Abstract Interpretation
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CWE:
      CWE-943
    • OWASP:
      A1
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      User provided data such as URL parameters, POST data payloads or cookies should always be considered untrusted and tainted. Applications performing NoSQL operations based on tainted data could be exploited in a way similar to SQL Injection, where an attacker could inject database commands to access sensitive information or compromise data integrity.

      The problem could be mitigated by sanitizing the user provided data, preferably based on a whitelist of allowed characters.

      See

        Attachments

        1.
        Java RSPEC-5158 Language-Specification Active Unassigned
        2.
        C# RSPEC-5159 Language-Specification Active Unassigned
        3.
        PHP RSPEC-5160 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              lars.svensson Lars Svensson
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: