Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 throws false positive for integer only parameter #3503

Closed
1 of 3 tasks
GiantCrocodile opened this issue Oct 27, 2024 · 3 comments
Closed
1 of 3 tasks

SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1 throws false positive for integer only parameter #3503

GiantCrocodile opened this issue Oct 27, 2024 · 3 comments
Labels
bug Something isn't working

Comments

@GiantCrocodile
Copy link

Describe the bug
False positive in Java code due to missing check of parameter type (not every type can be exploited for SQL injections).

To Reproduce

	public List<Image> loadUserImages(int userId) {
		return em.createQuery("Select i from Image i join i.user u where u.id='" + userId + "'").getResultList();
	}

Expected behavior
No security finding if the only passed variable/parameter is an integer. Integers can't be abused for sql injections according to quick researches.

Priority
How important is this to you?

  • P0: blocking me from making progress
  • P1: this will block me in the near future
  • P2: annoying but not blocking me
@GiantCrocodile GiantCrocodile added the bug Something isn't working label Oct 27, 2024
@0xDC0DE
Copy link
Contributor

0xDC0DE commented Nov 12, 2024

Hey @GiantCrocodile !
This can easily be fixed by adding the following options to the rule (assuming it is a taint mode rule).

  options:
    taint_assume_safe_booleans: true
    taint_assume_safe_numbers: true

However, I am not sure what rule you are experiencing this issue with. Could you tell me the rule path or id?

@GiantCrocodile
Copy link
Author

GiantCrocodile commented Nov 12, 2024
edited
Loading

Hi @0xDC0DE! Not sure if it runs in taint mode. It's executed via Semgrep cloud in a managed scenario. I think this is the full path of the rule:

find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1.

Name should be gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1.SQL_INJECTION-1.SQL_INJECTION_HIBERNATE-1.SQL_INJECTION_VERTX-1.SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING-1

@0xDC0DE
Copy link
Contributor

0xDC0DE commented Nov 13, 2024

Hmmm. It looks like this is one of the rules that is maintained by Gitlab and not Semgrep.

I did some searching in their repo, it could be this rule:
https://gitlab.com/gitlab-org/security-products/sast-rules/-/blob/main/rules/lgpl-cc/java/inject/rule-SqlInjection.yml#L126

This rule has a sink that matches the testcode you've provided to reproduce. I've created a merge request, here: https://gitlab.com/gitlab-org/security-products/sast-rules/-/merge_requests/668

Let's see if they'll update the rule.

@0xDC0DE 0xDC0DE closed this as completed Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xDC0DE @GiantCrocodile