False Negative - SQL Injection (S3649) from azure functions HttpRequestData in c#

Rules and Languages
, , , ,
1
  • Language: C#
  • Platform: SonarQube Cloud
  • Scanner: Azure Devops step (SonarCloudAnalyze@3)

In an azure function using the Isolated function model, when we use data from the HttpRequestData object to construct an sql query via concatenation, it should trigger S3649, but does not. No issues or security hotspots are flagged.

an edited down version of the relevant code is:

[Function("HttpTrigger")]
public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "get")] HttpRequestData req)
{
    var userId = req.Query["userId"];
    var sqlQuery = $"SELECT * FROM Users WHERE UserId = '{userId}'";
    var connectionString = _config.GetConnectionString("database");
    using var sqlConnection = new SqlConnection(connectionString);
    using var command = new SqlCommand(sqlQuery, sqlConnection);
    await sqlConnection.OpenAsync();
    await command.ExecuteReaderAsync();
    return req.CreateResponse(System.Net.HttpStatusCode.OK);
}

or a pull request showing the vulnerable code is available at on github

1 Like
Sonar Community Roundup, December 5 - 12
3

That seems like a nasty SQL injection opportunity.

5

Hi @tonyh ,

Welcome to these forums, I am going to investigate that. Sorry for the triage delay!

Thanks a lot for providing the PR, it’s great for fast investigation.

6

Hi @Loris .

Any update on looking at this?

Thanks,

Tony

7

Hi @tonyh !

Yeah, I managed to find that the root cause is probably our support of Azure Functions, and making the analyzer understand that a method that’s annotated with `Function` is a source of “tainted data”. Multiple internal events slowed us down (reorgs, etc.) but a ticket is written and I mentioned that this should be a low-hanging fruit.

I cannot give you an ETA on this ticket though unfortunately, I would suppose Q1 2026

Cheers,

Loris