VULN Symfony / Doctrine SQL Injection

Guillaume_Michel · December 2, 2019, 10:04am

Versions: SonarQ Version 7.9.1 (build 27448) + Sonar-Scanner MacOS Version 4.2.0.1873
Trying to detect SQL Injection VULNs in Doctrine usages

I am trying to detect SQL injection patterns in wrong usages of Doctrine QueryBuilder like:

return $this->createQueryBuilder('aTable)
    ->andWhere('aTable.reference = ' . $value)
    ->getQuery()
    ->getOneOrNullResult();

The rule php:S2077 is enabled.
It detects properly the classical injection:
mysqli_query($link, "SELECT * FROM Data WHERE ".$this->value);

But it does not detect the first one (using QueryBuilder).

Do I need to enable another rule ?
Does this rule manages QueryBuilder ?

Best Regards

eric.therond · December 2, 2019, 3:45pm

Doctrine QueryBuilder is supported with the rule S3649 but not for S2077 for the moment. Notice that the detection of injection vulnerabilities like S3649 is available starting SonarQube Commercial Edition.

We will try to add the support of QueryBuilder to the S2077 rule.

Thank you for the report.

Eric

Guillaume_Michel · December 3, 2019, 1:49pm

Hi Eric,

I’ve just tested with an evaluation key of the Developer Commercial version to detect this type of SQLi:

$this->createQueryBuilder('u')
            ->andWhere('u.reference = ' . $name)
            ->getQuery()
            ->getOneOrNullResult()

The class itself extends Doctrine ServiceEntityRepository.

I have checked that the phpsecurity:S3649 rule is enabled in the “sonar-way” profile.

But the detection does not seems to trigger the warning.

Could you have such an example that works with createQueryBuilder Doctrine objects ?

It does not detect either such construct:
$entityManager->createNativeQuery('SELECT abc FROM X WHERE X = ' . $data, $rsm);

Could you have such an example that works with createNativeQuery Doctrine objects ?

Thanks for your inputs,
Best Regards

eric.therond · December 4, 2019, 11:56am

Hello Guillaume

Take a look at a small Doctrine example I have analyzed with SonarCloud here.

on line 24 a SQL injection is correclty raised when calling the createNativeQuery() method
but on line 34 a SQL injection is not raised when calling the createQueryBuilder() method

So SonarQube/SonarCloud is able to detect vulnerabilities when using Doctrine ORM but some limitations are also known. For you code examples, it is likely the same kind of problems that in the example I provided. To be sure you can share more relevant code on github maybe ?

Thank you.

Eric