java.aws-lambda.security.tainted-sqli.tainted-sqli
semgrepAuthor
unknown
Download Count*
License
Detected SQL statement that is tainted by $EVENT object. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-sqli
message: Detected SQL statement that is tainted by `$EVENT` object. This could
lead to SQL injection if variables in the SQL statement are not properly
sanitized. Use parameterized SQL queries or properly sanitize user input
instead.
languages:
- java
severity: WARNING
mode: taint
pattern-sources:
- patterns:
- focus-metavariable: $EVENT
- pattern-either:
- pattern: >
$HANDLERTYPE $HANDLER($TYPE $EVENT,
com.amazonaws.services.lambda.runtime.Context $CONTEXT) {
...
}
- pattern: >
$HANDLERTYPE $HANDLER(InputStream $EVENT, OutputStream $OUT,
com.amazonaws.services.lambda.runtime.Context $CONTEXT) {
...
}
pattern-sinks:
- patterns:
- pattern-either:
- pattern: |
(java.sql.CallableStatement $STMT) = ...;
- pattern: |
(java.sql.Statement $STMT) = ...;
- pattern: |
(java.sql.PreparedStatement $STMT) = ...;
- pattern: |
$VAR = $CONN.prepareStatement(...)
- pattern: |
$PATH.queryForObject(...);
- pattern: >
(java.util.Map<String, Object> $STMT) = $PATH.queryForMap(...);
- pattern: >
(org.springframework.jdbc.support.rowset.SqlRowSet $STMT) =
...;
- patterns:
- pattern-inside: |
(String $SQL) = "$SQLSTR" + ...;
...
- pattern: $PATH.$SQLCMD(..., $SQL, ...);
- metavariable-regex:
metavariable: $SQLSTR
regex: (?i)(^SELECT.* | ^INSERT.* | ^UPDATE.*)
- metavariable-regex:
metavariable: $SQLCMD
regex: (execute|query|executeUpdate|batchUpdate)
options:
interfile: true
metadata:
category: security
technology:
- sql
- java
- aws-lambda
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
interfile: true
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
Examples
tainted-sqli.java
package com.amazonaws.lambda.demo;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Base64;
import java.util.Calendar;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.json.simple.JSONObject;
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.lambda.demo.Emp;
import com.amazonaws.lambda.demo.HibernateUtil;
import com.amazonaws.lambda.demo.Request;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectMetadata;
import com.amazonaws.lambda.demo.*;
public class LambdaFunctionHandler implements RequestHandler < Request, String > {
String dstBucket = System.getenv("bucketname");
String host_name = System.getenv("host_name");
String user_name = System.getenv("user_name");
String password = System.getenv("password");
String dbname = System.getenv("dbname");
@Override
public String handleRequest(Request request, Context context) {
String s = " ";
SessionFactory sessionFactory = HibernateUtil.getSessionFactory();
try (Session session = sessionFactory.openSession()) {
int ctr = 0;
Connection connect;
connect = DriverManager.getConnection("jdbc:mysql://" + host_name + ":3306/" + dbname, user_name, password);
int month = request.getMonth();
int year = request.getYear();
int overtime = request.getOvertime();
int empid = request.getEmp_id();
Calendar Year = Calendar.getInstance();
int CurrentYear = Year.get(Year.YEAR);
if ((request.getMonth() <= 12 && request.getMonth() >= 1)) {
Statement statement = connect.createStatement();
String query = "SELECT emp_name,emp_mail,manager_id FROM employee WHERE emp_id=" + empid;
// ruleid: tainted-sqli
ResultSet resultSet = statement.executeQuery(query);
// ok: tainted-sqli
ResultSet resultSet2 = statement.executeQuery("SELECT * FROM employee");
}
} catch (SQLException e) {
e.printStackTrace();
context.getLogger().log("error : " + e);
}
if (s == "") {
s = "Sucess " + String.format("Added %s %s %s %s %s.", request.emp_id, request.month, request.year, request.overtime);
}
return s;
}
}Short Link: https://sg.run/7942