scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request

Author
unknown
Download Count*
License
User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (connection.PreparedStatement
) or a safe library.
Run Locally
Run in CI
Defintion
rules:
- id: tainted-sql-from-http-request
languages:
- scala
severity: ERROR
mode: taint
message: User data flows into this manually-constructed SQL string. User data
can be safely inserted into SQL strings using prepared statements or an
object-relational mapper (ORM). Manually-constructed SQL strings is a
possible indicator of SQL injection, which could let an attacker steal or
manipulate data from the database. Instead, use prepared statements
(`connection.PreparedStatement`) or a safe library.
metadata:
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html
category: security
technology:
- scala
- play
confidence: HIGH
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: HIGH
impact: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
pattern-sources:
- patterns:
- pattern-either:
- patterns:
- pattern: $REQ
- pattern-either:
- pattern-inside: |
Action {
$REQ: Request[$T] =>
...
}
- pattern-inside: |
Action(...) {
$REQ: Request[$T] =>
...
}
- pattern-inside: |
Action.async {
$REQ: Request[$T] =>
...
}
- pattern-inside: |
Action.async(...) {
$REQ: Request[$T] =>
...
}
- patterns:
- pattern: $PARAM
- pattern-either:
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = Action {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = Action(...) {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = Action.async {
...
}
- pattern-inside: >
def $CTRL(..., $PARAM: $TYPE, ...) = Action.async(...)
{
...
}
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: |
"$SQLSTR" + ...
- pattern: |
"$SQLSTR".format(...)
- patterns:
- pattern-inside: |
$SB = new StringBuilder("$SQLSTR");
...
- pattern: $SB.append(...)
- patterns:
- pattern-inside: |
$VAR = "$SQLSTR"
...
- pattern: $VAR += ...
- metavariable-regex:
metavariable: $SQLSTR
regex: (?i)(select|delete|insert|create|update|alter|drop)\b
- patterns:
- pattern: s"..."
- pattern-regex: >
.*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
- pattern-not-inside: println(...)
Examples
tainted-sql-from-http-request.scala
package controllers
import play.api.mvc._
import javax.inject._
import java.sql.{Connection, ResultSet, DriverManager}
@Singleton
class HomeController @Inject()(val controllerComponents: ControllerComponents) extends BaseController{
def oneAction() = Action { implicit request: Request[AnyContent] =>
val bodyVals = request.body.asFormUrlEncoded
val name = bodyVals.get("username").head
// ruleid: tainted-sql-from-http-request
val sql = "SELECT * FROM table WHERE name = " + name + ";"
val conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password")
val stmt = conn.createStatement()
val rs = stmt.execute(sql)
Ok(rs.first())
}
def twoAction() = Action { implicit request: Request[AnyContent] =>
val bodyVals = request.body.asFormUrlEncoded
val name = bodyVals.get("username").head
// ruleid: tainted-sql-from-http-request
val sql = "SELECT * FROM table WHERE name = " + name + ";"
val conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password")
val stmt = conn.createStatement()
val rs = stmt.execute(sql)
Ok(rs.first())
}
def threeAction() = Action { implicit request: Request[AnyContent] =>
val bodyVals = request.body.asFormUrlEncoded
val name = bodyVals.get("username").head
val conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password")
val stmt = conn.createStatement()
// ruleid: tainted-sql-from-http-request
val rs = stmt.execute(s"SELECT * FROM table WHERE name = $name;")
Ok(rs.first())
}
def okAction1() = Action { implicit request: Request[AnyContent] =>
val name = "hardcoded_value"
val conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password")
val stmt = conn.createStatement()
// ok: tainted-sql-from-http-request
val rs = stmt.execute(s"SELECT * FROM table WHERE name = $name;")
Ok(rs.first())
}
def okAction2(name: String) = Action { implicit request: Request[AnyContent] =>
val name = "value"
// ok: tainted-sql-from-http-request
val sql = "SELECT * FROM table WHERE name = " + name + ";"
val conn = DriverManager.getConnection("jdbc:mysql://localhost:8080", "guest", "password")
val stmt = conn.createStatement()
val rs = stmt.execute(sql)
Ok(rs.first())
}
}
Short Link: https://sg.run/BeW9