Dapper SqlInjection

AlzaMartinHoly · September 21, 2020, 7:05am

Hi, I read (here: SonarCloud Community: Major updates on security rules for Python, C# and Java) that SonarCloud should support C # code analysis against SqlInjection even using Dapper. I have the following code:

    public async Task<UserDto[]> FindAll(string param)
    {
        SqlCommand command;
        string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
        command = new SqlCommand(sensitiveQuery); // Correctly detected

        using (var uow = ConnectionProvider.Create())
        {
            var entities = await uow.QueryAsync<UserDto>(sensitiveQuery); // Not detected
            return entities.ToArray();
        }
    }

Sonar correctly identifies line 5 as dangerous, but does not mark line 9 as a potential risk.

Can you please advise me how to arrange the designation of line 9 as a potential risk?

Tested on https://sonarcloud.io/ and on SonarLint VS add-on (version 4.25.0.20544)

Pierre-Loup_Tristant · September 21, 2020, 1:04pm

Hi @AlzaMartinHoly and welcome to the community forum.

Is it a public project you analyzed on SonarCloud? If yes, could you point me to this project?

If this is not a private project, could you please provide a reproducer that I could easily build? It would be easier, for example, if you provided the import and and the implementation of UserDto.

Thank you.