Not detecting code with potential for sql injection

SonarQube, version: 9.0.0.45539, developer edition

I would expect SQ to detect the below code as vulnerable to SQL injection, but nothing is detected.

public async Task Test(string personId)
{
    await using var connection = new SqlConnection(_connectionString);
    var commandText = "SELECT * FROM Person WHERE ID = " + personId;
    connection.Open();
    await using var command = new SqlCommand(commandText, connection);
    await command.ExecuteReaderAsync(CommandBehavior.CloseConnection);
}

Given that the ID could be varchar in my eyes this is vulnerable, but I might be wrong…

Hello @nicklasjepsen,

Are you sure that the personId variable is being assigned with a value coming from unsanitized user input?
If this is not the case then there is no exploitable SQL Injection and this is why SonarQube is not raising.

Nevertheless, you should have the Security Hotspot (S2077) that is triggered to tell you that concatenating untrusted values into a SQL query command is risky.

If you still don’t have a SQL Injection issue raised while your are sure that the personId value can be controlled by a malicious user, then please share a reproducer project so we can analyze it on our side.

Alex

Hi @Alexandre_Gigleux
Thank you for your reply!

I am pretty sure it’s coming from an unsanitized user input, in our case a web api accepting a string. Also, we do not see the S2077 hot spot in the results.

I will setup a repro project and share with you.

Nick

@Alexandre_Gigleux

Here’s a project where no security hotspots are detected.
sq-sql-injection-sample.zip (3.3 KB)
It’s .net 5, we are using Azure DevOps to build and analyze and here are the results:

This is indeed weird that no Security Hotspot is raised by S2077. I reported the problem to our engineering team and will get back to you once we better understand the problem.

I can see in your reproducer you added a user input coming from the Console:

var input = Console.ReadLine();

We don’t consider inputs from the Console as tainted. We raise taint vulnerabilities only on Web Applications. So your input should come from a Controller to raise the expected issue.

(don’t pay attention to the NetCore3MVC in the screenshot, it’s really a DotNet 5 Web App)

Alex

Thanks for the quick reply, we just bought SonarQube and really want to be able to built it into our dev process, and start use/trust SonarQube to find issues in our code.

Since this is a new installation of the SonarQube server could there be something wrong with our installation?
We also see other projects (.net 5, web apps) where SQ is not analyzing .cs files. It does analyze .cshtml and so on but not plain .cs files:
image

I already created a ticket on that matter, but now I am wondering if it could be related somehow?
Here’s the related ticket: Not analyzing .cs files - only .cshtml, js, etc

I think it’s very important to not mix topics in this forum, otherwise it can become pretty messy :slight_smile: I’m sure someone will pick-up your problem of having some .cs files not scanned. One suggestion: don’t forget to precise the version of SQ you are using.

@Alexandre_Gigleux I have stated the SQ version in both topics. Also, I don’t think it’s mixing up topics if the problem is the SQ installation, since these 2 issues are generated by the same SQ installation on the same server.