I am using the free trial version of the enterprise to test the capture of OAWSP 10, as I saw that sql injection is only detected from the enterprise version, but it is not recognizing the presence of the failure, I do not know if this can be a mistake mine for lack of some configuration but I enabled the rules that covered this error.
Estou usando um programa em C# com a integração do Sonarqube e Azure DevOps.
I am using a C # program with the integration of Sonarqube and Azure DevOps.
My code:
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using WebApplication1.Controllers;
namespace WebApplicationDotNetCore.Controllers
{
public class RSPEC3649SQLiNoncompliant : Controller
{
private readonly UserAccountContext _context;
public RSPEC3649SQLiNoncompliant(UserAccountContext context)
{
_context = context;
}
public IActionResult Authenticate(string user)
{
string query = "SELECT * FROM Users WHERE Username = '" + user + "'";
var userExists = false;
if (_context.Database.ExecuteSqlCommand(query) > 0) // Noncompliant
{
userExists = true;
}
return Content(userExists ? "success" : "fail");
}
}
The repository of this code is private, however, I have this second example, where the same problem occurs, but with slightly different code. (https://github.com/gabirlSilva/Sqube.git)
using System;
using System.Threading.Tasks;
using Microsoft.Data.SqlClient;
namespace SqlInjectionTest
{
class Program
{
static async Task Main(string args)
{
Console.WriteLine("Insera um nome ou um SqlInjection:");
var unsafeString = Console.ReadLine();
await using var conn = new SqlConnection();
await using var command = conn.CreateCommand();
command.CommandText = "SELECT * FROM usu_user WHERE user_first_name = '" + unsafeString + "'";
await using var reader = await command.ExecuteReaderAsync();
if (!reader.HasRows)
return;
var arr = new object[reader.FieldCount];
while(await reader.ReadAsync())
{
reader.GetValues(arr);
Console.WriteLine(string.Join(", ", arr));
}
}
public static async void Test()
{
await Task.Delay(1000);
await Task.Delay(2000);
Console.WriteLine("x");
}
public static void Bar(SqlConnection connection, string parametro)
{
SqlCommand command;
string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", parametro);
command = new SqlCommand(sensitiveQuery);
command.CommandText = sensitiveQuery;
SqlDataAdapter adapter;
adapter = new SqlDataAdapter(sensitiveQuery, connection);
}
}
Can you confirm the version of SonarQube you are using?
In the past we used to consider projects with “Test” in the name as projects containing only unit tests and for them we were not trying to find vulnerabilities … because they are not going to be deliver in PROD.
Maybe there are still a corner cases we missed. In order to confirm you are facing that problem, you can recreate your Sqube project but just don’t use “Test” when you create the Solution and the Project. Name it “SqlInjectioniGabriel” to be clear.
Looking more carefully at your code, I realized that your app is a Console App while we do support Web Apps. So this is expected that there is no issue raised on your “Sqube” repo.
This is linked to the fact that we don’t consider Console.ReadLine() as a source, we consider what is provided in the command line as trusted.