PHP SQL Injection False Negative

SonarQube version 8.9.0.43852, PHP
The following code contains SQL Injection, but it is not detected by SonarQube.

<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            $json = stripslashes($json);
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            $files= mysql_query("SELECT * from test_table WHERE `test` = $selected_list");
	}
}

Hey @C.L ,

You are right. This is not the expected behavior. Thanks for making us aware of this! We have identified the reason, did create an internal ticket, and will fix it soon.

To give some insight:
The problem lies in the simulation of the stripslashes() call in regard to a SQL injection. The following examples would be correctly identified now:

<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            $json = stripslashes($json);
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            echo $selected_list; // XSS
	}
}
<?php
class Test {
	public function test_function() {
            $json = $_GET['test'];
            // No stripslashes()
            $json = json_decode($json, true);
            $selected_list=$json['test'];
            $files= mysql_query("SELECT * from test_table WHERE `test` = $selected_list");
	}
}

Thanks for the fix! May I know why taint analysis does not continue through the stripslashes() call, and is there any way for me to fix such issues on my end? Eg. through adding custom rules/configurations

Hey @C.L,

Excuses for the delayed response.

May I know why taint analysis does not continue through the stripslashes()

In our taint analysis engine stripslashes() is currently only configured to pass through the data for XSS and not for other vulnerability types. This is the mistake we did, and it should be fixed in the next release we do.

is there any way for me to fix such issues on my end? Eg. through adding custom rules/configurations

Starting at SonarQube enterprise edition, our security engine can be adapted with custom configuration. See Security Engine Custom Configuration | SonarQube Docs . If you have specific questions about that, you’re welcome to share them in a new thread :slight_smile:

Best regards,
Karim.