mirror of
https://github.com/github/codeql.git
synced 2025-12-16 16:53:25 +01:00
C#: Convert SQL injection test to use inline expectations.
This commit is contained in:
Michael Nebel
@@ -17,12 +17,12 @@ namespace Test
|
||||
{
|
||||
connection.Open();
|
||||
SqlCommand customerCommand = new SqlCommand("SELECT * FROM customers", connection);
|
||||
SqlDataReader customerReader = customerCommand.ExecuteReader();
|
||||
SqlDataReader customerReader = customerCommand.ExecuteReader(); // $ Source[cs/sql-injection]
|
||||
|
||||
while (customerReader.Read())
|
||||
{
|
||||
// BAD: Read from database, write it straight to another query
|
||||
SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection);
|
||||
SqlCommand secondCustomerCommand = new SqlCommand("SELECT * FROM customers WHERE customerName=" + customerReader.GetString(1), connection); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
customerReader.Close();
|
||||
}
|
||||
@@ -30,7 +30,7 @@ namespace Test
|
||||
|
||||
public void RunSQLFromFile()
|
||||
{
|
||||
using (FileStream fs = new FileStream("myfile.txt", FileMode.Open))
|
||||
using (FileStream fs = new FileStream("myfile.txt", FileMode.Open)) // $ Source[cs/sql-injection]
|
||||
{
|
||||
using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
|
||||
{
|
||||
@@ -42,7 +42,7 @@ namespace Test
|
||||
continue;
|
||||
using (var connection = new SQLiteConnection(""))
|
||||
{
|
||||
var cmd = new SQLiteCommand(sql, connection);
|
||||
var cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]
|
||||
cmd.ExecuteScalar();
|
||||
}
|
||||
}
|
||||
|
||||
@@ -35,8 +35,8 @@ namespace Test
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
|
||||
+ categoryTextBox.Text + "' ORDER BY PRICE";
|
||||
var adapter = new SqlDataAdapter(query1, connection);
|
||||
+ categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
|
||||
var result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
}
|
||||
@@ -70,9 +70,9 @@ namespace Test
|
||||
{
|
||||
// BAD: Use EntityFramework direct Sql execution methods
|
||||
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
|
||||
+ categoryTextBox.Text + "' ORDER BY PRICE";
|
||||
context.Database.ExecuteSqlCommand(query1);
|
||||
context.Database.SqlQuery<string>(query1);
|
||||
+ categoryTextBox.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
context.Database.ExecuteSqlCommand(query1); // $ Alert[cs/sql-injection]
|
||||
context.Database.SqlQuery<string>(query1); // $ Alert[cs/sql-injection]
|
||||
// GOOD: Use EntityFramework direct Sql execution methods with parameter
|
||||
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
|
||||
+ "@p0 ORDER BY PRICE";
|
||||
@@ -84,8 +84,8 @@ namespace Test
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
|
||||
+ box1.Text + "' ORDER BY PRICE";
|
||||
var adapter = new SqlDataAdapter(query1, connection);
|
||||
+ box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var adapter = new SqlDataAdapter(query1, connection); // $ Alert[cs/sql-injection]
|
||||
var result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
}
|
||||
@@ -94,9 +94,9 @@ namespace Test
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
|
||||
+ box1.Text + "' ORDER BY PRICE";
|
||||
var cmd = new SqlCommand(queryString);
|
||||
var adapter = new SqlDataAdapter(cmd);
|
||||
+ box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
|
||||
var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
|
||||
var result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
}
|
||||
@@ -105,9 +105,9 @@ namespace Test
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
|
||||
+ Console.ReadLine()! + "' ORDER BY PRICE";
|
||||
var cmd = new SqlCommand(queryString);
|
||||
var adapter = new SqlDataAdapter(cmd);
|
||||
+ Console.ReadLine()! + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
|
||||
var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
|
||||
var result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
}
|
||||
@@ -119,14 +119,14 @@ namespace Test
|
||||
public abstract class MyController : Controller
|
||||
{
|
||||
[HttpPost("{userId:string}")]
|
||||
public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken)
|
||||
public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken) // $ Source[cs/sql-injection]
|
||||
{
|
||||
// This is a vulnerable method due to SQL injection
|
||||
string query = "SELECT * FROM Users WHERE UserId = '" + userId + "'";
|
||||
|
||||
using (SqlConnection connection = new SqlConnection("YourConnectionString"))
|
||||
{
|
||||
SqlCommand command = new SqlCommand(query, connection);
|
||||
SqlCommand command = new SqlCommand(query, connection); // $ Alert[cs/sql-injection]
|
||||
connection.Open();
|
||||
|
||||
SqlDataReader reader = command.ExecuteReader();
|
||||
|
||||
@@ -1,2 +1,4 @@
|
||||
query: Security Features/CWE-089/SqlInjection.ql
|
||||
postprocess: utils/test/PrettyPrintModels.ql
|
||||
postprocess:
|
||||
- utils/test/PrettyPrintModels.ql
|
||||
- utils/test/InlineExpectationsTestQuery.ql
|
||||
|
||||
@@ -17,8 +17,8 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
var result = connection.Query<object>(query);
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var result = connection.Query<object>(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,8 +26,8 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
var result = await connection.QueryAsync<object>(query);
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var result = await connection.QueryAsync<object>(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -35,8 +35,8 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
var result = await connection.QueryFirstAsync(query);
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
var result = await connection.QueryFirstAsync(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -44,9 +44,9 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
|
||||
await connection.ExecuteAsync(query);
|
||||
await connection.ExecuteAsync(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -54,8 +54,8 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
connection.ExecuteScalar(query);
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
connection.ExecuteScalar(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -63,8 +63,8 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
connection.ExecuteReader(query);
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
connection.ExecuteReader(query); // $ Alert[cs/sql-injection]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -72,9 +72,9 @@ namespace Test
|
||||
{
|
||||
using (var connection = new SqlConnection(connectionString))
|
||||
{
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE";
|
||||
var query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
|
||||
|
||||
var comDef = new CommandDefinition(query);
|
||||
var comDef = new CommandDefinition(query); // $ Alert[cs/sql-injection]
|
||||
var result = await connection.QueryFirstAsync(comDef);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,12 +16,12 @@ namespace TestSqlite
|
||||
public void InjectUntrustedData()
|
||||
{
|
||||
// BAD: untrusted data is not sanitized.
|
||||
SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text);
|
||||
SQLiteCommand cmd = new SQLiteCommand(untrustedData.Text); // $ Alert[cs/sql-injection]
|
||||
|
||||
// BAD: untrusted data is not sanitized.
|
||||
using (var connection = new SQLiteConnection(connectionString))
|
||||
{
|
||||
cmd = new SQLiteCommand(untrustedData.Text, connection);
|
||||
cmd = new SQLiteCommand(untrustedData.Text, connection); // $ Source[cs/sql-injection] Alert[cs/sql-injection]
|
||||
}
|
||||
|
||||
SQLiteDataAdapter adapter;
|
||||
@@ -30,23 +30,23 @@ namespace TestSqlite
|
||||
// BAD: untrusted data is not sanitized.
|
||||
using (var connection = new SQLiteConnection(connectionString))
|
||||
{
|
||||
adapter = new SQLiteDataAdapter(untrustedData.Text, connection);
|
||||
adapter = new SQLiteDataAdapter(untrustedData.Text, connection); // $ Alert[cs/sql-injection]
|
||||
result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
}
|
||||
|
||||
// BAD: untrusted data is not sanitized.
|
||||
adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString);
|
||||
adapter = new SQLiteDataAdapter(untrustedData.Text, connectionString); // $ Alert[cs/sql-injection]
|
||||
result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
|
||||
// BAD: untrusted data is not sanitized.
|
||||
adapter = new SQLiteDataAdapter(cmd);
|
||||
adapter = new SQLiteDataAdapter(cmd); // $ Alert[cs/sql-injection]
|
||||
result = new DataSet();
|
||||
adapter.Fill(result);
|
||||
|
||||
// BAD: untrusted data as filename is not sanitized.
|
||||
using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open))
|
||||
using (FileStream fs = new FileStream(untrustedData.Text, FileMode.Open)) // $ Source[cs/sql-injection]
|
||||
{
|
||||
using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
|
||||
{
|
||||
@@ -58,7 +58,7 @@ namespace TestSqlite
|
||||
continue;
|
||||
using (var connection = new SQLiteConnection(""))
|
||||
{
|
||||
cmd = new SQLiteCommand(sql, connection);
|
||||
cmd = new SQLiteCommand(sql, connection); // $ Alert[cs/sql-injection]
|
||||
cmd.ExecuteScalar();
|
||||
}
|
||||
}
|
||||
@@ -66,4 +66,4 @@ namespace TestSqlite
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user