False Negative: tsql:S1523 EXEC potential injection is not detected


This concern TSQL.

The rule in question is S1523 Dynamically executing code is security-sensitive.

I believe there is a False Negative as SonarQube do not flag any issue if a dynamic query is passed as a variable.

I am using SonarQube 9.9 Developer edition.

Here is an example of the issue taken straight from the Sensitive Code Example of S1523 with the query passed as a variable instead, this will not be flagged as an issue:

  DECLARE @SqlString NVARCAHR(MAX) = 'USE AuthDB; SELECT id FROM user WHERE email ''' + @email + ''' ;' -- Sensitive: could inject code using @email
  EXEC @SqlString

Using EXEC sp_executesql @SqlString in the previous sample will also not be flagged as an issue.


1 Like

Hey @LTCell ,
Thanks for pointing this out!

I can confirm that this should raise but it does not.
The main culprit from my understanding does not seem to be SonarQube, but the parentheses around @SqlString, or in your case the lack of them.

Technically both EXEC (@this) and EXEC @this are valid T-SQL, but for some reason we fail to report on the second one.
You can see this for yourself, if you are curious: Just by wrapping the argument of EXEC in parentheses, you should see an issue being raised as expected.

I opened an issue about it in our T-SQL dedicated backlog.

Thanks again!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.