scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal
semgrepAuthor
unknown
Download Count*
License
Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using #$variable and use $variable in sql"..." strings instead.
Run Locally
Run in CI
Defintion
rules:
- id: scala-slick-sql-non-literal
patterns:
- pattern: sql"..."
- pattern-regex: \#\$
- pattern-inside: |
import slick.$DEPS
...
message: Detected a formatted string in a SQL statement. This could lead to SQL
injection if variables in the SQL statement are not properly sanitized.
Avoid using `#$variable` and use `$variable` in `sql"..."` strings
instead.
languages:
- scala
severity: ERROR
metadata:
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SCALA_SQL_INJECTION_SLICK
references:
- https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values
category: security
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
technology:
- scala
- slick
confidence: LOW
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- SQL Injection
Examples
scala-slick-sql-non-literal.scala
import slick.jdbc.H2Profile.api._
class FooBar {
def something(name: String) = {
val db = Database.forConfig("h2mem1")
// ruleid: scala-slick-sql-non-literal
val action = sql"select ID, NAME, AGE from #$name".as[(Int,String,Int)]
db.run(action)
// ok: scala-slick-sql-non-literal
val action2 = sql"select ID, NAME, AGE from $name".as[(Int,String,Int)]
db.run(action2)
}
}Short Link: https://sg.run/JgDk