I’m using Ent edition (8.9.1.44547)
Security Java scan missed SQLi vulnerabilities in ORDER BY/GROUP BY values.
Example:
Malicious input for query: ‘{“name”:"",“before”:"",“after”:"",“order_by”:“name”,“direction”:"asc,(selectfrom(select(sleep(8)))a)",“num_of_rows”:100}’
Regards,
Vitalyd
Hello Vitalyd and welcome to the community!
Do you have a code snippet that you could share with us, containing source and sink? Thanks!
Hello hendrik,
I do not have sink, but source function only:
Lists.newLinkedList();
String select = " a1.name, max(a1.version) as version, a1.date , a1.storing ";
String from = BUNDLES_TABLE +
" a1 join " +
" ( SELECT name, max(date_created) as date FROM " + BUNDLES_TABLE +
" WHERE status = ‘" + BundleTransactionStatus.COMPLETE.name() + "’ AND type = ? GROUP BY name " +
" ) a2 " +
" on a1.name = a2.name AND a1.date = a2.date ";
String where = " status = ‘" + BundleTransactionStatus.COMPLETE.name() + "’ " +
" AND type = ? " + addToWhereStatement(filter);
String groupBy = " a1.name, a1.date , a1.storing ";
String orderby = addOrderBy(filter);
String query = new QueryWriter()
.select(select)
.from(from)
.where(where)
.groupBy(groupBy)
.orderBy(orderby)
.limit(filter.getDaoLimit())
.offset(filter.getOffset())
.build();
Object params = setQueryParams(filter).toArray();
try (ResultSet resultSet = jdbcHelper.executeSelect(query, params)) {
while (resultSet.next()) {
artifactsBundles.add(bundleFromResultSet(resultSet, “name”, “version”, “date”,
“storing”));
}
}
return artifactsBundles;
}
Hi Vitaly,
thanks for the code! I am afraid I don’t see the connection of the code snippet to your vulnerability.
Our taint-analyzer searches for parts in the code where user input is received (e.g. String test = request.getParameter("test");, the source), follows it through the application, and checks if it ends up in a dangerous function without being sanitized (e.g. new FileInputStream(new File(test));, the sink). There are multiple reasons why an issue might not be detected, for example the function that retrieves the user input is not defined as a source, or the sensitive function that causes the vulnerability is not defined as a sink. To check if this is the case I have to know exactly how the user input is received and how it ends up in the sensitive function, thanks!
Is it possible to generate a source->sink graph in SonarQube?
Regards,
No, that is not possible unfortunately. It would only work if both the source and sink are identified correctly anyway.
Thanks Hendrik,
Sorry, i cannot send you more snippets - a lot of internal code sanitization. I totally understand what did you say - in this case, source is order by parameters received from HTTPRequest and used to create SQL query without any validation (as you can see from the code). We did reproduced this issue manually (its a blind sqli in this case, we got delay for 8 seconds for response… you can see the query in malicious payload above). Also, we used to have an alert on this from another SAST tool. As I understand, since part of this query built as StringBuffer outcome - SonarQube cannot understand the overall query creation process (I’ve seen this issue before in another commercial tool).