hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
377fb00dea83549416b95929962f555395e7898f
codeql/csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.cs
Michael Nebel 5d14307ea2 C#: Add a SQL injection test case for ASP.NET.
2024-08-21 12:14:30 +02:00

143 lines
5.5 KiB
C#
Raw Blame History

using System;
namespace System.Web.UI.WebControls
{
public class TextBox { public string Text { get; set; } }
}
namespace Test
{
using System.Data;
using System.Data.Entity;
using System.Data.SqlClient;
using System.Diagnostics.CodeAnalysis;
using System.Threading;
using System.Threading.Tasks;
using System.Web.UI.WebControls;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
public class EntityFrameworkContext : DbContext
{
public EntityFrameworkContext()
{
}
}
class SqlInjection
{
TextBox categoryTextBox;
string connectionString;
public void GetDataSetByCategory()
{
// BAD: the category might have SQL special characters in it
using (var connection = new SqlConnection(connectionString))
{
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ categoryTextBox.Text + "' ORDER BY PRICE";
var adapter = new SqlDataAdapter(query1, connection);
var result = new DataSet();
adapter.Fill(result);
}
// GOOD: use parameters with stored procedures
using (var connection = new SqlConnection(connectionString))
{
var adapter = new SqlDataAdapter("ItemsStoredProcedure", connection);
adapter.SelectCommand.CommandType = CommandType.StoredProcedure;
var parameter = new SqlParameter("category", categoryTextBox.Text);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
}
// GOOD: use parameters with dynamic SQL
using (var connection = new SqlConnection(connectionString))
{
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
+ "@category ORDER BY PRICE";
var adapter = new SqlDataAdapter(query2, connection);
var parameter = new SqlParameter("category", categoryTextBox.Text);
adapter.SelectCommand.Parameters.Add(parameter);
var result = new DataSet();
adapter.Fill(result);
}
using (var connection = new SqlConnection(connectionString))
{
using (var context = new EntityFrameworkContext())
{
// BAD: Use EntityFramework direct Sql execution methods
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ categoryTextBox.Text + "' ORDER BY PRICE";
context.Database.ExecuteSqlCommand(query1);
context.Database.SqlQuery<string>(query1);
// GOOD: Use EntityFramework direct Sql execution methods with parameter
var query2 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY="
+ "@p0 ORDER BY PRICE";
context.Database.ExecuteSqlCommand(query2, categoryTextBox.Text);
}
}
// BAD: Text from a local textbox
using (var connection = new SqlConnection(connectionString))
{
var query1 = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ box1.Text + "' ORDER BY PRICE";
var adapter = new SqlDataAdapter(query1, connection);
var result = new DataSet();
adapter.Fill(result);
}
// BAD: Text from a local textbox
using (var connection = new SqlConnection(connectionString))
{
var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ box1.Text + "' ORDER BY PRICE";
var cmd = new SqlCommand(queryString);
var adapter = new SqlDataAdapter(cmd);
var result = new DataSet();
adapter.Fill(result);
}
// BAD: Input from the command line. (also implicitly check flow via suppress nullable warning `!`)
using (var connection = new SqlConnection(connectionString))
{
var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+ Console.ReadLine()! + "' ORDER BY PRICE";
var cmd = new SqlCommand(queryString);
var adapter = new SqlDataAdapter(cmd);
var result = new DataSet();
adapter.Fill(result);
}
}
System.Windows.Forms.TextBox box1;
}
public abstract class MyController : Controller
{
[HttpPost("{userId:string}")]
public async Task<IActionResult> GetUserById([FromRoute] string userId, CancellationToken cancellationToken)
{
// This is a vulnerable method due to SQL injection
string query = "SELECT * FROM Users WHERE UserId = '" + userId + "'";
using (SqlConnection connection = new SqlConnection("YourConnectionString"))
{
SqlCommand command = new SqlCommand(query, connection);
connection.Open();
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(String.Format("{0}, {1}", reader["UserId"], reader["Username"]));
}
}
return Ok();
}
}
}
Reference in New Issue View Git Blame Copy Permalink