B608: hardcoded_sql_expressions

B608: Test for SQL injection

An SQL injection attack consists of insertion or “injection” of a SQL query via the input data given to an application. It is a very common attack vector. This plugin test looks for strings that resemble SQL statements that are involved in some form of string building operation. For example:

“SELECT %s FROM derp;” % var

“SELECT thing FROM “ + tab

“SELECT “ + val + “ FROM “ + tab + …

“SELECT {} FROM derp;”.format(var)

f”SELECT foo FROM bar WHERE id = {product}”

Unless care is taken to sanitize and control the input data when building such SQL statement strings, an injection attack becomes possible. If strings of this nature are discovered, a LOW confidence issue is reported. In order to boost result confidence, this plugin test will also check to see if the discovered string is in use with standard Python DBAPI calls execute or executemany. If so, a MEDIUM issue is reported. For example:

cursor.execute(“SELECT %s FROM derp;” % var)

Use of str.replace in the string construction can also be dangerous. For example:

“SELECT * FROM foo WHERE id = ‘[VALUE]’”.replace(“[VALUE]”, identifier)

However, such cases are always reported with LOW confidence to compensate for false positives, since valid uses of str.replace can be common.

Example:

>> Issue: Possible SQL injection vector through string-based query
construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   Location: ./examples/sql_statements.py:4
3 query = "DELETE FROM foo WHERE id = '%s'" % identifier
4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier
5