javascript.aws-lambda.security.knex-sqli.knex-sqli

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Detected SQL statement that is tainted by $EVENT object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: knex.raw('SELECT $1 from table', [userinput])

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: knex-sqli
    message: "Detected SQL statement that is tainted by `$EVENT` object. This could
      lead to SQL injection if the variable is user-controlled and not properly
      sanitized. In order to prevent SQL injection, use parameterized queries or
      prepared statements instead. You can use parameterized statements like so:
      `knex.raw('SELECT $1 from table', [userinput])`"
    metadata:
      references:
        - https://knexjs.org/#Builder-fromRaw
        - https://knexjs.org/#Builder-whereRaw
      category: security
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      technology:
        - aws-lambda
        - knex
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: HIGH
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - SQL Injection
    languages:
      - javascript
      - typescript
    severity: WARNING
    mode: taint
    pattern-sources:
      - patterns:
          - pattern-either:
              - pattern-inside: |
                  exports.handler = function ($EVENT, ...) {
                    ...
                  }
              - pattern-inside: |
                  function $FUNC ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
              - pattern-inside: |
                  $FUNC = function ($EVENT, ...) {...}
                  ...
                  exports.handler = $FUNC
          - pattern: $EVENT
    pattern-sinks:
      - patterns:
          - focus-metavariable: $QUERY
          - pattern-either:
              - pattern: $KNEX.fromRaw($QUERY, ...)
              - pattern: $KNEX.whereRaw($QUERY, ...)
              - pattern: $KNEX.raw($QUERY, ...)
          - pattern-either:
              - pattern-inside: |
                  require('knex')
                  ...
              - pattern-inside: |
                  import 'knex'
                  ...

Examples

knex-sqli.js

import knex from "knex";
import Knex from "knex";

exports.handler = async (event) => {
  const connection = knex({
    client: "mysql",
    connection: {
      host: process.env.DB_HOST,
      port: Number(process.env.DB_PORT || "3306"),
      user: process.env.DB_USER,
      password: process.env.DB_PASSWORD,
      database: process.env.DB_DATABASE,
    },
  });

  // ruleid: knex-sqli
  await connection.raw(`
    INSERT INTO  (id, character, cartoon, link)
    VALUES(
        '${event.id}', 
        '${event.character}',
        '${event.cartoon}', 
        '${event.link}'
    )
    `);

  // ok: knex-sqli
  await connection.raw('SELECT * FROM foobar');
};