C# Sql injection not detected in contorller

  • ALM used - Azure DevOps
  • CI system used - Azure DevOps
  • Languages of the repository - C#
  • Private Repo

I am new to sonar cloud so please forgive me if this is a simple config issue. I am currently investigating sonar for the company I would for and as part of the investigation, we have created an application with known security risks included. Two of the are SQL and XSS injection, we have run the scan via a dev-ops pipeline following the instructions provided and it has failed to find them.

I believe we have everything set up correctly and I also copied the example from the SQL injection rule of bad code, this was also not picked up. I have put below the code in question which I have confirmed is vulnerable to attack.

[HttpPost]
public async Task<ViewResult> Index([FromForm] string comment)
{

    var sql1 = "INSERT INTO `Comments` (`Text`, `UserId`) VALUES ('" +comment+ "', '"+ rnd.Next(1, 20) + "'); ";
    var sql2 = $@"INSERT INTO `Comments` (`Text`, `UserId`) VALUES ('{comment}', '{rnd.Next(1, 20)}');";

    await _dapperConnectionWrapper.QueryDbAsync<object>(sql2);

    List<Comment> comments = (await _dapperConnectionWrapper.QueryDbAsync<Comment, User, Comment>(
           $@"SELECT * FROM Comments c
                INNER JOIN Users u ON u.id=c.UserId
                ORDER BY c.CreatedDateTime DESC", (comment, user) => {
               comment.User = user;
               return comment;
           },
           splitOn: "UserId")).ToList();

    return View(new HomeViewModel()
    {
        Comments = comments
    });
}

Hi Adam and welcome to the community!

In general, those should be found. Is it possible for you to share the whole test application with me? This would make it much easier to search for the problem, thanks!

1 Like

Hi Hendrik

I am sorry for the delay I needed to confirm that we can make the project public. I have put below the repo link

https://dev.azure.com/musicmagpie/_git/Snyk%20Demo

2 Likes

Hi Adam,

Thank you for sharing it! I will try to debug it this week, I will not be able to do it today.

Hi Adam,

In regards to the XSS vulnerabilities, those are so-called second-order vulnerabilities. Meaning, the user input is first stored in the database, later read from the database, and then used in the sensitive sink (i.e. the template in this case). We currently only support first-order vulnerabilities, i.e. the user input is directly used in a dangerous context.

In regards to the SQL injections, both the source and sink are supported but the issue is still not raised. I have created a ticket for SonarQube 9.4, so that my colleagues can have a more detailed look at where the taint trace is lost and hopefully resolve the issue.

1 Like

Hi Hendrik

Thank you for the honest reply, if possible could I request updates on this investigation when there is more information because as I said the company I work for is looking to onboard all of our apps into sonar cloud but we need to be sure that things like this don’t fall through the net.

In regards to the second-order vulnerabilities, I can fully understand why these are currently not checked due to the complexity of the task but I will like to ask if it is something you hope to add in the future.

Hi Adam,

That is totally understandable. I have added a note to the ticket to inform you once it is resolved.

In regards to the second-order vulnerabilities I have contacted the security PM, he will be the right person to answer this question.

Hi Hendrik

That is fantastic to hear thank you.

A small update for second-order vulnerabilities: there are no plans for 2022 to tackle second-order vulnerabilities.

Hi Hendrik

Thank you for that update, I would also like to ask if there is any update on the SQL injection ticket. Also not sure if this is the right place for this question but the company I work for has asked if sonar offers a client manager for large companies and if so can we possibly start these conversations.

Hi Adam,

You are welcome. The ticket was not implemented yet. It is attached to the SonarQube 9.4 release that is planned for April. SonarCloud is not bound to the release cycle of SonarQube, so it may be released sooner there. It is still a good time frame to keep in mind until when this ticket likely will be handled.

We have Account Managers. If you let me know what company it is, I can make sure that you get contacted by your AM. If you do not want to share this information here please feel free to send an email to contact@sonarsource.com with the company name and the request, and Sales Ops will make sure to route it to the right person. Thanks!

Hi Hendrik

Sorry for the delay getting back to you, if you can that would be very helpful the company is Music Magpie.

Adam

Hi Adam,

I have checked with the Sales team. I was told that no Account Manager got in touch earlier since the request did not come from a company-affiliated email address. Would it be possible to send the request again to contact@sonarsource.com using a company address? Thanks!