Hi team,
I recently noticed that Spring R2DBC’s DatabaseClient.sql() is not recognized as a SQL injection sink by rules S2077 and S3649.
JdbcClient.sql() was added as a sink alongside other Spring sinks in SONARJAVA-4866 (April 2024), but the reactive counterpart was not included:
// NOT detected — R2DBC reactive client
client.sql(“SELECT * FROM users WHERE id = '” + userInput + “'”)
// IS detected — blocking JDBC client
jdbcTemplate.queryForObject(“SELECT * FROM users WHERE id = '” + userInput + “'”, String.class)
The only R2DBC-related sink currently covered is the internal StringBasedR2dbcQuery constructor (used by @Query annotations), not the DatabaseClient API that developers use directly for raw SQL.
This was previously raised in Implements SQL Injections rules for spring-data-r2dbc back in 2020, where a SonarSource engineer acknowledged the gap and mentioned a ticket would be created, but DatabaseClient.sql() was never added.
Spring R2DBC is widely adopted for reactive applications. Without this sink, projects using DatabaseClient for raw SQL have no SonarQube protection against SQL injection.
Is there any update on the status of this? Are there plans to add DatabaseClient.sql() as a recognized sink in an upcoming release?
Regards,
Ali