jssecurity:S3649 does not trigger(Database queries should not be vulnerable to injection attacks)

Clean Code Report False-positive / False-negative...
,
1

This code does not trigger jssecurity:S3649 check.(it should do)
Simply copied from the rule’s example.

var db = require('./mysql/dbConnection.js');

function (req, res) {
  var name = req.query.name; // user controlled input
  var password = crypto.createHash('sha256').update(req.query.password).digest('base64');

  var sql = "select * from user where name = '" + name + "' and password = '" + password + "'";

  db.query(sql, function(err, result) { // Noncompliant
     // something
  })
}

Rules are enabled.

rules_enabled
rules_enabled1317×445 33.5 KB

But do not trigger.

do_not_trigger.png
do_not_trigger.png1308×502 24 KB

There are attachments of code and scan-log.

sonar-scanner-X.log (33.8 KB)
demo.js.txt (401 Bytes)

We use Developer Edition.

  • Developer Edition
  • Version 8.9.6 (build 50800)
4

Hello and welcome to the community!

The code from our code sample is a bit minified. For an issue to be raised, you actually have to register this function as a controller (e.g. in an Express.js app). Otherwise, our analyzer is not aware of what type req has and that it contains user input.

6

Thank you. Add some context and try again.

10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.