/
tainted-sql-string.yaml
89 lines (89 loc) · 2.71 KB
/
tainted-sql-string.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
rules:
- id: tainted-sql-string
languages:
- scala
severity: ERROR
mode: taint
message: User data flows into this manually-constructed SQL string. User data can be safely inserted
into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed
SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate
data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe
library.
metadata:
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html
category: security
technology:
- scala
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: MEDIUM
impact: HIGH
pattern-sources:
- patterns:
- pattern: $PARAM
- pattern-either:
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = $A {
...
}
- pattern-inside: |
def $CTRL(..., $PARAM: $TYPE, ...) = $A(...) {
...
}
pattern-sinks:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern: |
"$SQLSTR" + ...
- pattern: |
"$SQLSTR".format(...)
- patterns:
- pattern-inside: |
$SB = new StringBuilder("$SQLSTR");
...
- pattern: $SB.append(...)
- patterns:
- pattern-inside: |
$VAR = "$SQLSTR"
...
- pattern: $VAR += ...
- metavariable-regex:
metavariable: $SQLSTR
regex: (?i)(select|delete|insert|create|update|alter|drop)\b
- patterns:
- pattern-either:
- pattern: s"..."
- pattern: f"..."
- pattern-regex: |
.*\b(?i)(select|delete|insert|create|update|alter|drop)\b.*
- pattern-not-inside: println(...)
pattern-sanitizers:
- pattern-either:
- patterns:
- pattern-either:
- pattern: $LOGGER.$METHOD(...)
- pattern: $LOGGER(...)
- metavariable-regex:
metavariable: $LOGGER
regex: (i?)log.*
- patterns:
- pattern: $LOGGER.$METHOD(...)
- metavariable-regex:
metavariable: $METHOD
regex: (i?)(trace|info|warn|warning|warnToError|error|debug)