ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2077/csharp/rule.adoc
Fred Tingaud 16f6c0aecf
Inline adoc when include has no additional value (#1940) 
Inline adoc files when they are included exactly once.

Also fix language tags because this inlining gives us better information
on what language the code is written in.
2023-05-25 14:18:12 +02:00

81 lines
3.1 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

include::../description.adoc[]
include::../ask-yourself.adoc[]
include::../recommended.adoc[]
== Sensitive Code Example
----
public void Foo(DbContext context, string query, string param)
{
string sensitiveQuery = string.Concat(query, param);
context.Database.ExecuteSqlCommand(sensitiveQuery); // Sensitive
context.Query<User>().FromSql(sensitiveQuery); // Sensitive
context.Database.ExecuteSqlCommand($"SELECT * FROM mytable WHERE mycol={value}", param); // Sensitive, the FormattableString is evaluated and converted to RawSqlString
string query = $"SELECT * FROM mytable WHERE mycol={param}";
context.Database.ExecuteSqlCommand(query); // Sensitive, the FormattableString has already been evaluated, it won't be converted to a parametrized query.
}
public void Bar(SqlConnection connection, string param)
{
SqlCommand command;
string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param);
command = new SqlCommand(sensitiveQuery); // Sensitive
command.CommandText = sensitiveQuery; // Sensitive
SqlDataAdapter adapter;
adapter = new SqlDataAdapter(sensitiveQuery, connection); // Sensitive
}
----
== Compliant Solution
[source,csharp]
----
public void Foo(DbContext context, string query, string param)
{
context.Database.ExecuteSqlCommand("SELECT * FROM mytable WHERE mycol=@p0", param); // Compliant, it's a parametrized safe query
}
----
include::../see.adoc[]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::../message.adoc[]
include::../highlighting.adoc[]
'''
== Comments And Links
(visible only on this page)
=== on 16 Oct 2018, 17:38:58 Nicolas Harraudeau wrote:
*Implementation details*:
Note that the first parameter of many function has a ``++string++`` as first parameter. The reason is that we do not want to highlight the instantiation of empty objects such as ``++new OdbcCommand()++`` which have their command set later via their property ``++CommandText++``. The goal is to highlight the exact moment where the SQL string query is provided to the command. That way we highlight the place where the injection can take place.
Note also that no issue should be created if the SQL command has no risk of injection. Thus if the SQL command is a hard-coded string or the concatenation of hard-coded strings, it should not create an issue.
=== on 8 Oct 2019, 11:12:14 Andrei Epure wrote:
\[~nicolas.harraudeau] [~pierre-loup.tristant] - should this rule be harmonized with the libraries we support for RSPEC-3649 (e.g. Dapper, Petapoco, NHibernate)?
 
_see all the references in https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetCore/InternalBasic.CSharp.NetCore.csproj[InternalBasic.CSharp.NetCore.csproj] and https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetFramework/InternalBasic.CSharp.NetFramework.csproj[InternalBasic.CSharp.NetFramework.csproj]_
include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink