SonarCloud Misses Injection Vulnerability in RavenDB Data Push Code

Introduction

I’ve encountered a critical issue in my project where we push data to a RavenDB database without proper sanitation. Our QA team discovered that this opens up the possibility of injection attacks. Surprisingly, SonarCloud did not flag this issue. I’m looking for insights into why SonarCloud missed this vulnerability and how I can configure it to detect such problems.

Code Snippet

Here is the code snippet that pushes data to RavenDB:

_session.Advanced.Clear();
_session.Advanced.Patch<dsfsdf, sdfsfs.UserData>(
request.sdfsdf,
(q => q.Data!),
userData);

Discussion Points:

SonarCloud Analysis:

  • Why did SonarCloud miss this vulnerability?
  • Are there limitations or specific configurations required for SonarCloud to detect such issues?

Configuring SonarCloud:

  • Steps to configure SonarCloud for detecting injection vulnerabilities in RavenDB-related code.
  • Are there plugins or additional rules that need to be enabled?

Conclusion

I’m looking forward to hearing from the community about their experiences and solutions for ensuring data security when working with RavenDB and configuring SonarCloud effectively.

Additional Resources

If you have any links to documentation or tools that can help, please share them.


Feel free to add your insights and suggestions. Thank you!

Hello Bar and welcome to the community!

Currently, our taint analyzer has no support for RavenDB, meaning it is not aware of the dangerous functions that it provides. It is not possible to change this through configuration.

Could you share a more complete reproducer, including imports and things like this? Thanks!