Problems to introduce vulnerability in Python Program

Rules and Languages Report False-positive / False-negative...
1

Hello

I’m exploring SonarCloud and I’m experimenting with a simple Python desktop app that uses SQL-Alchemy. When I try to run Sonar to detect a new Vulnerability (in this case, Database queries should not be vulnerable to injection attacks), copying almost verbatim the example, Sonar does not detect this issue. In fact, it still reports everything as before coding the vulnerability.

Is this working as intended? Are SQL injection vulnerabilities only detected for Flask apps? Am I missing something?

Any help would be greatly appreciated.

Edit:

I introduced a code vulnerable to SQL injections like this:

    def dar_album_por_id(self, album_id):
        
        consulta  =  text('SELECT * from Album where id=%s' % album_id)
        query = session.query(Album).from_statement(consulta)
        return query.one().__dict__

I also introduced a bug following the " All “except” blocks should be able to catch exceptions" rule but I’m getting a code smell instead. Here is the code:

   def eliminar_album(self, album_id):
        try:
            album = session.query(Album).filter(Album.id == album_id).first()
            session.delete(album)
            session.commit()
            return True
        except SQLAlchemyError as e:
            print(e)
            yield False
        except SQLAlchemyError as e:
            print(e)
            yield False
        except:
            return False
2

Hey there.

A good start would be to provide a copy of the code that expect an issue to be raised on, but no issue is being raised!

3

Thanks for the suggestion. I just edited my message to add two examples.

6

Hello @juanpabloreyesg ,

Thanks for your question. I have two questions that will help us clarify the situation:

  • What kind of SonarQube edition do you use? Community Edition? (edit: I see you are using SonarCloud, so this question does not apply)
  • Is the function dar_album_por_id() called by another function, which calls it with untrusted data as the parameter album_id ?

Note: Untrusted data means data that comes from the outside of the application, such as user input.

Example:

@app.route('hola')
def injection():
    album_id = request.args.get("album_id")
    objeto = YourClass()
    return objeto.dar_album_por_id(album_id)

Thanks a lot!

Loris

1 Like
9

Hi

  • Indeed, I’m using sonarcloud.

The function you mentioned i being used by the GUI which is developed in PyQt5. It is also invoked by the test classes.

My suspicion would be that Sonar has trouble detecting this kind of vulnerability in non-web apps, but that still doesn’t explain why the exception rule is still being ignored.

10

Hello @juanpabloreyesg,

You guessed it right, we focus our vulnerability detection capabilities on web apps, Android and IAC (Infra as code), and not on GUI-based apps.

You can still use this doc to add PyQt capabilities to your detection as a workaround: Security Engine Custom Configuration | SonarQube Docs.

Regarding the exception rule, I’m assigning this to the right team.

Have a good day,

Loris

14

Hello @juanpabloreyesg,

Coming back on the exception that is caught twice, indeed S1045 should raise an issue in your code snippet.

I believe it doesn’t do it because the analyzer doesn’t resolve correctly the SQLAlchemyError as an exception class. Still, knowing this is actually the same symbol that is caught twice, an issue could still be raised safely.

I created SONARPY-1100 to fix this.

Cheers,
Guillaume

1 Like
15

Hello @juanpabloreyesg,

For the record: I created an internal ticket to suggest adding GUI code detection to our capabilities.

Thanks again for your post, it is greatly appreciated.

Cheers,

Loris

17

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.