Skip to content

Adds sonar version of SQLParameterizer codemod #495

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andrecsilva merged 2 commits into from
Apr 23, 2024
Merged

Adds sonar version of SQLParameterizer codemod #495

andrecsilva merged 2 commits into from
Apr 23, 2024

Conversation

@andrecsilva
Copy link
Contributor

@andrecsilva andrecsilva commented Apr 22, 2024
edited
Loading

Overview

Adds Sonar version of SQL parameterization codemod. Also fixes a bug where file with multiple sql injections were only being issued a single fix.

Closes #375

@andrecsilva andrecsilva changed the title Fixed issue with multiple class with injections Adds sonar version of SQLParameterizer codemod Apr 22, 2024
@pixeebot pixeebot bot mentioned this pull request Apr 22, 2024
Closed
github-advanced-security[bot]
github-advanced-security bot found potential problems Apr 22, 2024
View reviewed changes
src/codemodder/sql_examples.py Outdated
sql = "SELECT user FROM users WHERE user = '" + user + "'"

conn = sqlite3.connect("example")
conn.cursor().execute(sql) # Noncompliant

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks

<!--SONAR_ISSUE_KEY:AY8FpVQc1la452LTqYsp-->Change this code to not construct SQL queries directly from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=pixee_codemodder-python&issues=AY8FpVQc1la452LTqYsp&open=AY8FpVQc1la452LTqYsp&pullRequest=495">SonarCloud</a></p>
src/codemodder/sql_examples.py
sql = """SELECT user FROM users WHERE user = \'%s\'"""

conn = sqlite3.connect("example")
conn.cursor().execute(sql % (user))

Check failure

Code scanning / SonarCloud

Database queries should not be vulnerable to injection attacks

<!--SONAR_ISSUE_KEY:AY8FpVQc1la452LTqYsq-->Change this code to not construct SQL queries directly from user-controlled data. <p>See more on <a href="https://sonarcloud.io/project/issues?id=pixee_codemodder-python&issues=AY8FpVQc1la452LTqYsq&open=AY8FpVQc1la452LTqYsq&pullRequest=495">SonarCloud</a></p>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 22, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@andrecsilva andrecsilva marked this pull request as ready for review April 22, 2024 14:58
@andrecsilva andrecsilva added this pull request to the merge queue Apr 23, 2024
Merged via the queue into main with commit a2a1eb0 Apr 23, 2024
@andrecsilva andrecsilva deleted the sonar-sql branch April 23, 2024 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clavedeluna clavedeluna clavedeluna approved these changes

@drdavella drdavella Awaiting requested review from drdavella drdavella is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sonar: fix SQL injection with sql-parameterization

2 participants

@andrecsilva @clavedeluna