SQL Injection security hotspot not caught by SonarQube

I ran this test today to see if Sonarqube could detect SQL Injection.
I constructed a simple form with an input field, where the code reads this field creates a dynamic SQL Statement from this input and runs it against the database.

This should have triggered a OWASP Top 10 SQL Injection error:
Formatting SQL queries is security-sensitive

The documentation says that this method signature is tested:

[quote]The following specific method signatures are tested:

System.Data.SqlClient.SqlCommand.SqlCommand(string, ...) 

[/quote]

using System.Data.SqlClient;
 public partial class WebForm1 : System.Web.UI.Page {
        protected void Page_Load(object sender, EventArgs e) {
           
            var name = Request["Name"].ToString();

            var sqlCommand = "Select * from Users where Name = '" + name + "'";

            using (SqlConnection connection = new SqlConnection(DBConnection.ConnectionString)) {

                SqlCommand command = new SqlCommand(sqlCommand, connection);

                command.ExecuteNonQuery();

                command.Dispose();
            }

        }
    }

This was not caught by the Scanner.

Running:
SonarQube 8.0
SonarScanner for MSBuild 4.7.1.231
Visual Studio 2019 (C#)

1 Like

Hi,

What edition are you using?

 
Ann

I am running the most recent versions.

Hi,

Which edition of SonarQube 8.0 are you running? SQL injection detection is available from Developer Edition and up.

 
Ann

I am using the Community Edition.

1 Like

How are we to know what features work and do not work ?

With the Community edition installed, I go to the Rules page, and filter on C# and security hotspot

http://localhost:9000/coding_rules?languages=cs&open=csharpsquid%3AS2077&types=SECURITY_HOTSPOT

There are 16 items listed there Including “Formatting SQL queries is security-sensitive”

However there is nothing in the description to indicated that this is only valid in Developer Edition or that this is not available in Community Edition. How many other features listed do not actually work in Community ?

Hi,

If you see the rule in your instance, then it should work. Sorry for the confusion. I thought you were talking about a different rule. So…

  • is the rule enabled in your Quality Profile?
  • are you using one of the formatting methods against which issues are raised? (I don’t think so, unless concatenation calls String.Concat under the covers…?)
  • are you using one of the method signatures that’s tested? (Again, I’m not sure you are.)

Now for those last two questions, it would be entirely fair of you to say that if the way you did it didn’t raise an issue, it’s a False Negative. And those we know how to fix…

 
Ann

Yes I believe the rule is in the Quality Profile, It is part of the C# Default profile. It is a built In rule and cannot be deactivated. It is one of the 16 Security Hotspots flagged as critical. All 16 are active.

I was not using String.Concat() but rather the default string concatenation operator “+”.
I was using one of the method signatures listed System.Data.SqlClient.SqlCommand.SqlCommand(string, ...)

I just changed the code to use String.Concat(), but it still did not pick it up.

hi @AndrewC75. We’ll investigate this False Negative with this ticket #2800 - thanks!

Just a minor correction - S2077 is a security hotspot and will not detect injection vulnerabilities, but rather sensitive places in the code which may or may not be vulnerable.

In the Developer Edition we have a taint analysis engine which powers rule S3649 and which detects actual injection vulnerabilities - starting from the user input and reaching the database

You can read the difference between Security Hotspots and Security Vulnerabilities here: https://www.sonarqube.org/features/security/

2 Likes