ruby.aws-lambda.security.sequel-sqli.sequel-sqli
semgrep
Author
unknown
Download Count*
License
Detected SQL statement that is tainted by event
object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: DB['select * from items where name = ?', name]
Run Locally
Run in CI
Defintion
rules:
- id: sequel-sqli
languages:
- ruby
message: "Detected SQL statement that is tainted by `event` object. This could
lead to SQL injection if the variable is user-controlled and not properly
sanitized. In order to prevent SQL injection, use parameterized queries or
prepared statements instead. You can use parameterized statements like so:
`DB['select * from items where name = ?', name]`"
mode: taint
metadata:
references:
- https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries
category: security
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
technology:
- aws-lambda
- sequel
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
pattern-sinks:
- patterns:
- pattern: $QUERY
- pattern-either:
- pattern: DB[$QUERY,...]
- pattern: DB.run($QUERY,...)
- pattern-inside: |
require 'sequel'
...
pattern-sources:
- patterns:
- pattern: event
- pattern-inside: |
def $HANDLER(event, context)
...
end
severity: WARNING
Examples
sequel-sqli.rb
require 'jwt'
require 'json'
require 'mysql2'
require 'sequel'
def handler(event:, context:)
DB = Sequel.connect(
:adapter => 'mysql2',
:host => ENV["DB_HOST"],
:port => ENV["DB_PORT"],
:database => ENV["DB_NAME"],
:user => ENV["DB_USER"],
:password => ENV["DB_PASSWORD"])
# ruleid: sequel-sqli
dataset = DB["SELECT * FROM users WHERE group='#{event['id']}'"]
# ok: sequel-sqli
dataset2 = DB['select id from items']
{statusCode: 200, body: JSON.generate(dataset)}
end
Short Link: https://sg.run/n9vY