I am evaluating SonarCloud security scanning with a sample ASP.NET MVC 4.7.2 project and am not able to get it to identify SQL injection vulnerabilities.
My project is using the default Sonar Way quality profile.
Sample code:
public class HomeController : Controller
{
public ActionResult UnsafeSql(int id)
{
using (SqlConnection conn = new SqlConnection(""))
{
SqlCommand cmd = new SqlCommand("SELECT * FROM Table WHERE Id = '" + id + "'");
cmd.Connection = conn;
conn.Open();
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds);
}
return View();
}
}
Thank you for sharing this code sample.
From what I see the user controlled variable is id. Because its type is int we consider this variable as safe. For example, if you try to inject something like ' OR '1'=1 in id the framework would throw an error.
Obviously it could behave differently on your side. If this is the case, let me know and I will investigate it further.
I changed the parameter from an int to a string as suggested, but SonarCloud is still not finding any issues.
Revised code:
public ActionResult UnsafeSql(string id)
{
using (SqlConnection conn = new SqlConnection(""))
{
SqlCommand cmd = new SqlCommand("SELECT * FROM Table WHERE Id = '" + id + "'");
cmd.Connection = conn;
conn.Open();
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
adapter.Fill(ds);
}
return View();
}
My sample code is in a public project at perkinscoie/sonarcloudmvctest if you want to take a look.