php.laravel.security.laravel-api-route-sql-injection.laravel-api-route-sql-injection

profile photo of semgrepsemgrep
Author
unknown
Download Count*

HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL injection via string concatenation or unsafe interpolation.

Run Locally

Run in CI

Defintion

rules:
  - id: laravel-api-route-sql-injection
    mode: taint
    pattern-sources:
      - patterns:
          - focus-metavariable: $ARG
          - pattern-inside: |
              Route::$METHOD($ROUTE_NAME, function(...,$ARG,...){...})
    pattern-sanitizers:
      - patterns:
          - pattern: |
              DB::raw("...",[...])
    pattern-sinks:
      - patterns:
          - pattern: |
              DB::raw(...)
    message: HTTP method [$METHOD] to Laravel route $ROUTE_NAME is vulnerable to SQL
      injection via string concatenation or unsafe interpolation.
    languages:
      - php
    severity: WARNING
    metadata:
      category: security
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md
      technology:
        - php
        - laravel
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: HIGH
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - SQL Injection

Examples

laravel-api-route-sql-injection.php

<?php
// https://www.cloudways.com/blog/laravel-security/
Route::get('this-is-prone-to-sql-injection', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = $name"));
});

Route::get('this-is-also-prone-to-sql-injection', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = " . $name));
});

Route::get('this-is-prone-to-sql-injection-too', function($name) {
return DB::select(
// ruleid: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = $name AND someproperty = foo"));
});

Route::get('safe-from-sql-injection', function($name) {
return DB::select(
// ok: laravel-api-route-sql-injection
DB::raw("SELECT * FROM users WHERE name = ?", [$name]));
});
?>