gitlab.bandit.B608

385

Download Count*

MIT

License

Detected possible formatted SQL query. Use parameterized queries instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: bandit.B608
    patterns:
      - pattern-either:
          - pattern: $DB.execute("..." % ...)
          - pattern: $DB.execute("...".format(...))
          - pattern: $DB.execute(f"...")
          - pattern: $DB.execute("..." + $V + "...")
          - patterns:
              - pattern-either:
                  - pattern-inside: |
                      $SQL = "..." % ...
                      ...
                  - pattern-inside: |
                      $SQL = "...".format(...)
                      ...
                  - pattern-inside: |
                      $SQL = f"...{$X}..."
                      ...
              - pattern: $DB.execute($SQL)
    message: |
      Detected possible formatted SQL query. Use parameterized queries instead.
    metadata:
      cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command
        ('SQL Injection')"
      owasp: "A1: Injection"
      primary_identifier: bandit.B608
      secondary_identifiers:
        - name: Bandit Test ID B608
          type: bandit_test_id
          value: B608
      license: MIT
    severity: WARNING
    languages:
      - python

Short Link: https://sg.run/xYry