PHP SQL Injection False Negative

C.L · May 20, 2021, 4:51am

SonarQube version 8.9.0.43852, PHP
The following code contains SQL Injection, but it is not detected by SonarQube.

<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            $json = stripslashes($json);
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            $files= mysql_query("SELECT * from test_table WHERE `test` = $selected_list");
	}
}

Karim_El_Ouerghemmi · May 20, 2021, 9:03am

Hey @C.L ,

You are right. This is not the expected behavior. Thanks for making us aware of this! We have identified the reason, did create an internal ticket, and will fix it soon.

To give some insight:
The problem lies in the simulation of the stripslashes() call in regard to a SQL injection. The following examples would be correctly identified now:

<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            $json = stripslashes($json);
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            echo $selected_list; // XSS
	}
}

<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            // No stripslashes()
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            $files= mysql_query("SELECT * from test_table WHERE `test` = $selected_list");
	}
}

C.L · May 21, 2021, 3:51am

Thanks for the fix! May I know why taint analysis does not continue through the stripslashes() call, and is there any way for me to fix such issues on my end? Eg. through adding custom rules/configurations

Karim_El_Ouerghemmi · May 25, 2021, 5:03pm

Hey @C.L,

Excuses for the delayed response.

May I know why taint analysis does not continue through the stripslashes()

In our taint analysis engine stripslashes() is currently only configured to pass through the data for XSS and not for other vulnerability types. This is the mistake we did, and it should be fixed in the next release we do.

is there any way for me to fix such issues on my end? Eg. through adding custom rules/configurations

Starting at SonarQube enterprise edition, our security engine can be adapted with custom configuration. See Security engine custom configuration . If you have specific questions about that, you’re welcome to share them in a new thread

Best regards,
Karim.

Topic		Replies	Views
PHP SQL Injection False Negative (S3649) Report False-positive / False-negative... php	5	1199	March 14, 2023
PHP S3649 False-Negative Report False-positive / False-negative... php , security	14	1092	July 2, 2021
Missed catch of SQL injection in PHP code with SonarQube Developer Edition SonarQube Server / Community Build php , security , false-negative	1	545	December 6, 2021
SonarQube does not detect SQL injection SonarQube Server / Community Build php , mysql	1	366	May 30, 2023
Developer Edition dont find sql query vulnerables SonarQube Server / Community Build security	3	460	March 25, 2021

PHP SQL Injection False Negative

Related topics