java.aws-lambda.security.tainted-sql-string.tainted-sql-string
semgrepAuthor
unknown
Download Count*
License
Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-sql-string
languages:
- java
severity: ERROR
message: Detected user input used to manually construct a SQL string. This is
usually bad practice because manual construction could accidentally result
in a SQL injection. An attacker could use a SQL injection to steal or
modify contents of the database. Instead, use a parameterized query which
is available by default in most database engines. Alternatively, consider
using an object-relational mapper (ORM) such as Sequelize which will
protect your queries.
options:
interfile: true
metadata:
references:
- https://owasp.org/www-community/attacks/SQL_Injection
category: security
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
technology:
- aws-lambda
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
interfile: true
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
mode: taint
pattern-sources:
- patterns:
- focus-metavariable: $EVENT
- pattern-either:
- pattern: >
$HANDLERTYPE $HANDLER($TYPE $EVENT,
com.amazonaws.services.lambda.runtime.Context $CONTEXT) {
...
}
- pattern: >
$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT,
com.amazonaws.services.lambda.runtime.Context $CONTEXT) {
...
}
pattern-sinks:
- patterns:
- pattern-either:
- pattern: |
"$SQLSTR" + ...
- pattern: |
"$SQLSTR".concat(...)
- patterns:
- pattern-inside: |
StringBuilder $SB = new StringBuilder("$SQLSTR");
...
- pattern: $SB.append(...)
- patterns:
- pattern-inside: |
$VAR = "$SQLSTR";
...
- pattern: $VAR += ...
- pattern: String.format("$SQLSTR", ...)
- metavariable-regex:
metavariable: $SQLSTR
regex: (?i)(select|delete|insert|create|update|alter|drop)\b
- pattern-not-inside: |
System.out.$PRINTLN(...)
Examples
tainted-sql-string.java
package com.amazonaws.lambda.demo;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Base64;
import java.util.Calendar;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.json.simple.JSONObject;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.lambda.demo.Emp;
import com.amazonaws.lambda.demo.HibernateUtil;
import com.amazonaws.lambda.demo.Request;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.lambda.demo.*;
public class LambdaFunctionHandler implements RequestHandler < Request, String > {
String dstBucket = System.getenv("bucketname");
String host_name = System.getenv("host_name");
String user_name = System.getenv("user_name");
String password = System.getenv("password");
String dbname = System.getenv("dbname");
@Override
public String handleRequest(Request request, Context context) {
String s = " ";
SessionFactory sessionFactory = HibernateUtil.getSessionFactory();
try (Session session = sessionFactory.openSession()) {
int ctr = 0;
Connection connect;
connect = DriverManager.getConnection("jdbc:mysql://" + host_name + ":3306/" + dbname, user_name, password);
int month = request.getMonth();
int year = request.getYear();
int overtime = request.getOvertime();
int empid = request.getEmp_id();
Calendar Year = Calendar.getInstance();
int CurrentYear = Year.get(Year.YEAR);
if ((request.getMonth() <= 12 && request.getMonth() >= 1)) {
Statement statement = connect.createStatement();
// ruleid: tainted-sql-string
String query = "SELECT emp_name,emp_mail,manager_id FROM employee WHERE emp_id=" + empid;
ResultSet resultSet = statement.executeQuery(query);
// ok: tainted-sql-string
System.out.println("SELECT emp_name,emp_mail,manager_id FROM employee WHERE emp_id=" + empid);
String foobar = "'Something'";
// ok: tainted-sql-string
String query2 = "SELECT emp_name,emp_mail,manager_id FROM employee WHERE emp_id=" + foobar;
ResultSet resultSet = statement.executeQuery(query2);
// ok: tainted-sql-string
ResultSet resultSet2 = statement.executeQuery("SELECT * FROM employee");
}
} catch (SQLException e) {
e.printStackTrace();
context.getLogger().log("error : " + e);
}
if (s == "") {
s = "Sucess " + String.format("Added %s %s %s %s %s.", request.emp_id, request.month, request.year, request.overtime);
}
return s;
}
}Short Link: https://sg.run/EBYN