ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2077/csharp/comments-and-links.adoc

20 lines
1.4 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=== on 16 Oct 2018, 17:38:58 Nicolas Harraudeau wrote:
*Implementation details*:
Note that the first parameter of many function has a ``++string++`` as first parameter. The reason is that we do not want to highlight the instantiation of empty objects such as ``++new OdbcCommand()++`` which have their command set later via their property ``++CommandText++``. The goal is to highlight the exact moment where the SQL string query is provided to the command. That way we highlight the place where the injection can take place.
Note also that no issue should be created if the SQL command has no risk of injection. Thus if the SQL command is a hard-coded string or the concatenation of hard-coded strings, it should not create an issue.
=== on 8 Oct 2019, 11:12:14 Andrei Epure wrote:
\[~nicolas.harraudeau] [~pierre-loup.tristant] - should this rule be harmonized with the libraries we support for RSPEC-3649 (e.g. Dapper, Petapoco, NHibernate)?
 
_see all the references in https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetCore/InternalBasic.CSharp.NetCore.csproj[InternalBasic.CSharp.NetCore.csproj] and https://github.com/SonarSource/sonar-security/blob/8.0.0-M1.5391/its/projects/internal/InternalBasic.CSharp/InternalBasic.CSharp.NetFramework/InternalBasic.CSharp.NetFramework.csproj[InternalBasic.CSharp.NetFramework.csproj]_
include::../comments-and-links.adoc[]
Reference in New Issue View Git Blame Copy Permalink