Modify rule S3649: Add databases support (APPSEC-1251) (#3381)

docs/header_names/allowed_framework_names.adoc

@@ -97,6 +97,7 @@
 * Argon2-cffi
 * Bcrypt
 * Cryptodome
+* databases
 * Django
 * Django Templates
 * FastAPI

rules/S3649/common/fix/code-rationale.adoc

@@ -1,15 +1,14 @@
-The following code is an example of an overly simple authentication function.
+The following code is an example of an overly simple data retrieval function.
 It is vulnerable to SQL injection because user-controlled data is inserted
 directly into a query string: The application assumes that incoming data
-always has a specific range of characters, and ignores that some characters may
+always has a specific range of characters and ignores that some characters may
 change the query logic to a malicious one.
 
 In this particular case, the query can be exploited with the following string: 
 
 ----
-foo' OR 1=1 --
+' OR '1'='1
 ----
 
-By adapting and inserting this template string into one of the fields (`user` or `pass`), an
-attacker would be able to log in as any user within the scoped user table.
-
+Using the UNION clause, an attacker would also be able to perform queries against
+other tables and combine the returned data within the same query result.

rules/S3649/python/how-to-fix-it/databases.adoc

@@ -0,0 +1,33 @@
+== How to fix it in databases
+
+=== Code examples
+
+include::../../common/fix/code-rationale.adoc[]
+
+==== Noncompliant code example
+
+[source,python,diff-id=31,diff-type=noncompliant]
+----
+from fastapi import APIRouter
+router = APIRouter()
+
+@router.get('/example')
+async def  get_users(user: str):
+    await database.fetch_all("SELECT user FROM users WHERE user = '" + user + "'") # Noncompliant
+----
+
+==== Compliant solution
+
+[source,python,diff-id=31,diff-type=compliant]
+----
+from fastapi import APIRouter
+router = APIRouter()
+
+@router.get('/example')
+async def  get_users(user: str):
+    await database.fetch_all("SELECT user FROM users WHERE user = :user", values={'user':user}) # Compliant
+----
+
+=== How does this work?
+
+include::../../common/fix/prepared-statements.adoc[]

rules/S3649/python/how-to-fix-it/sqlalchemy.adoc

@@ -2,20 +2,7 @@
 
 === Code examples
 
-The following code is an example of an overly simple data retrieval function.
-It is vulnerable to SQL injection because user-controlled data is inserted
-directly into a query string: The application assumes that incoming data
-always has a specific range of characters and ignores that some characters may
-change the query logic to a malicious one.
-
-In this particular case, the query can be exploited with the following string: 
-
-----
-' OR '1'='1
-----
-
-Using the UNION clause, an attacker would also be able to perform queries against
-other tables and combine the returned data within the same query result.
+include::../../common/fix/code-rationale.adoc[]
 
 ==== Noncompliant code example
 

rules/S3649/python/how-to-fix-it/sqlite3.adoc

@@ -2,20 +2,7 @@
 
 === Code examples
 
-The following code is an example of an overly simple data retrieval function.
-It is vulnerable to SQL injection because user-controlled data is inserted
-directly into a query string: The application assumes that incoming data
-always has a specific range of characters and ignores that some characters may
-change the query logic to a malicious one.
-
-In this particular case, the query can be exploited with the following string:
-
-----
-' OR '1'='1
-----
-
-Using the UNION clause, an attacker would also be able to perform queries against
-other tables and combine the returned data within the same query result.
+include::../../common/fix/code-rationale.adoc[]
 
 ==== Noncompliant code example
 

rules/S3649/python/rule.adoc

@@ -10,6 +10,8 @@ include::how-to-fix-it/sqlalchemy.adoc[]
 
 include::how-to-fix-it/sqlite3.adoc[]
 
+include::how-to-fix-it/databases.adoc[]
+
 == Resources
 
 include::../common/resources/docs.adoc[]