-
Notifications
You must be signed in to change notification settings - Fork 231
/
Copy pathExecutingSqlQueries.Net46.cs
325 lines (270 loc) · 21.2 KB
/
ExecutingSqlQueries.Net46.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
using System;
using System.Data;
using System.Data.Common;
using System.Data.SqlClient;
using System.Data.Odbc;
using System.Data.OracleClient;
using System.Data.SqlServerCe;
using MySql.Data.MySqlClient;
using Microsoft.Data.Sqlite;
using System.Data.SQLite;
namespace Tests.Diagnostics
{
class Program
{
private const string ConstantQuery = "";
public void CompliantSqlCommands(SqlConnection connection, SqlTransaction transaction, string query)
{
SqlCommand command;
command = new SqlCommand(); // Compliant
command = new SqlCommand(""); // Compliant
command = new SqlCommand(ConstantQuery); // Compliant
command = new SqlCommand(query); // Compliant, we don't know anything about the parameter
command = new SqlCommand(query, connection); // Compliant
command = new SqlCommand("", connection); // Compliant, constant queries are safe
command = new SqlCommand(query, connection, transaction); // Compliant
command = new SqlCommand("", connection, transaction); // Compliant, constant queries are safe
command = new SqlCommand(query, connection, transaction, SqlCommandColumnEncryptionSetting.Enabled); // Compliant
command = new SqlCommand("", connection, transaction, SqlCommandColumnEncryptionSetting.Enabled); // Compliant, constant queries are safe
command.CommandText = query; // Compliant, we don't know enough about the parameter
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant
SqlDataAdapter adapter;
adapter = new SqlDataAdapter(); // Compliant
adapter = new SqlDataAdapter(command); // Compliant
adapter = new SqlDataAdapter(query, ""); // Compliant
adapter = new SqlDataAdapter(query, connection); // Compliant
}
public void NonCompliant_Concat_SqlCommands(SqlConnection connection, SqlTransaction transaction, string query, string param)
{
var command = new SqlCommand(string.Concat(query, param)); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
command = new SqlCommand(query + param, connection); // Noncompliant
command = new SqlCommand("" + 1 + 2, connection); // Compliant
command = new SqlCommand(string.Concat(query, param), connection); // Noncompliant
command = new SqlCommand(string.Concat(query, param), connection, transaction); // Noncompliant
command = new SqlCommand(string.Concat(query, param), connection, transaction, SqlCommandColumnEncryptionSetting.Enabled); // Noncompliant
command.CommandText = string.Concat(query, param); // Noncompliant
// ^^^^^^^^^^^^^^^^^^^
string text = command.CommandText = string.Concat(query, param); // Noncompliant
var adapter = new SqlDataAdapter(string.Concat(query, param), ""); // Noncompliant
}
public void NonCompliant_Format_SqlCommands(SqlConnection connection, SqlTransaction transaction, string param)
{
var command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param)); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), connection); // Noncompliant
command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), connection, transaction); // Noncompliant
command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), connection, transaction, SqlCommandColumnEncryptionSetting.Enabled); // Noncompliant
int x = 1;
Guid g = Guid.NewGuid();
DateTime dateTime = DateTime.Now;
command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\", \"{2}\", \"{3}\")", x, g, dateTime), // Noncompliant - scalars can be dangerous and lead to expensive queries
connection, transaction, SqlCommandColumnEncryptionSetting.Enabled);
command = new SqlCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\", \"{2}\", \"{3}\")", x, param, dateTime), // Noncompliant
connection, transaction, SqlCommandColumnEncryptionSetting.Enabled);
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
string text = command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
var adapter = new SqlDataAdapter(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), ""); // Noncompliant
}
public void NonCompliant_Interpolation_SqlCommands(SqlConnection connection, SqlTransaction transaction, string param)
{
var command = new SqlCommand($"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
// ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
command = new SqlCommand($"SELECT * FROM mytable WHERE mycol={param}", connection, transaction, SqlCommandColumnEncryptionSetting.Enabled); // Noncompliant
command.CommandText = $"SELECT * FROM mytable WHERE mycol={param}"; // Noncompliant
// ^^^^^^^^^^^^^^^^^^^
var adapter = new SqlDataAdapter($"SELECT * FROM mytable WHERE mycol={param}", ""); // Noncompliant
}
public void OdbcCommands(OdbcConnection connection, OdbcTransaction transaction, string query)
{
OdbcCommand command;
command = new OdbcCommand(); // Compliant
command = new OdbcCommand(""); // Compliant
command = new OdbcCommand(ConstantQuery); // Compliant
command = new OdbcCommand(query); // Compliant, we don't know anything about the parameter
command = new OdbcCommand(query, connection); // Compliant
command = new OdbcCommand(query, connection, transaction); // Compliant
command.CommandText = query; // Compliant
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant
OdbcDataAdapter adapter;
adapter = new OdbcDataAdapter(); // Compliant
adapter = new OdbcDataAdapter(command); // Compliant
adapter = new OdbcDataAdapter(query, $"concatenated connection string {query}"); // Compliant
adapter = new OdbcDataAdapter(query, connection); // Compliant
}
/**
* For the rest of the frameworks, we do sparse testing, to keep tests maintainable and relevant
*/
public void NonCompliant_OdbcCommands(SqlConnection connection, SqlTransaction transaction, string query, string param)
{
var command = new OdbcCommand(string.Concat(query, param)); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
command.CommandText = string.Concat(query, param); // Noncompliant
command.CommandText = $"SELECT * FROM mytable WHERE mycol={param}"; // Noncompliant
var adapter = new OdbcDataAdapter(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), ""); // Noncompliant
}
public void OracleCommands(OracleConnection connection, OracleTransaction transaction, string query)
{
OracleCommand command;
command = new OracleCommand(); // Compliant
command = new OracleCommand(""); // Compliant
command = new OracleCommand(ConstantQuery); // Compliant
command = new OracleCommand(query); // Compliant, we don't know anything about the parameter
command = new OracleCommand(query, connection); // Compliant, we don't know anything about the parameter
command = new OracleCommand(query, connection, transaction); // Compliant, we don't know anything about the parameter
command.CommandText = query; // Compliant, we don't know anything about the parameter
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant, we don't know anything about the parameter
OracleDataAdapter adapter;
adapter = new OracleDataAdapter(); // Compliant
adapter = new OracleDataAdapter(command); // Compliant
adapter = new OracleDataAdapter(query, $"nonconcatenated connection string {query}"); // Compliant, we don't know anything about the parameter
adapter = new OracleDataAdapter(query, connection); // Compliant, we don't know anything about the parameter
}
public void NonCompliant_OracleCommands(OracleConnection connection, OracleTransaction transaction, string query, string param)
{
var command = new OracleCommand(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param)); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
command.CommandText = $"SELECT * FROM mytable WHERE mycol={param}"; // Noncompliant
new OracleDataAdapter(string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param), ""); // Noncompliant
}
public void SqlServerCeCommands(SqlCeConnection connection, SqlCeTransaction transaction, string query)
{
SqlCeCommand command;
command = new SqlCeCommand(); // Compliant
command = new SqlCeCommand(""); // Compliant
command = new SqlCeCommand(ConstantQuery); // Compliant
command = new SqlCeCommand(query); // Compliant
command = new SqlCeCommand(query, connection); // Compliant
command = new SqlCeCommand(query, connection, transaction); // Compliant
command.CommandText = query; // Compliant
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant
SqlCeDataAdapter adapter;
adapter = new SqlCeDataAdapter(); // Compliant
adapter = new SqlCeDataAdapter(command); // Compliant
adapter = new SqlCeDataAdapter(query, string.Concat("concatenated connection string", query)); // Compliant
adapter = new SqlCeDataAdapter(query, connection); // Compliant
}
public void NonCompliant_SqlCeCommands(SqlCeConnection connection, SqlCeTransaction transaction, string query, string param)
{
new SqlCeDataAdapter(string.Concat(query, param), ""); // Noncompliant
var command = new SqlCeCommand($"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant {{Make sure using a dynamically formatted SQL query is safe here.}}
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
}
public void MySqlDataCompliant(MySqlConnection connection, MySqlTransaction transaction, string query)
{
MySqlCommand command;
command = new MySqlCommand(); // Compliant
command = new MySqlCommand(""); // Compliant
command = new MySqlCommand(query, connection, transaction); // Compliant
command.CommandText = query; // Compliant
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant
var adapter = new MySqlDataAdapter("", connection); // Compliant
adapter = new MySqlDataAdapter(ConstantQuery, "connectionString"); // Compliant
MySqlHelper.ExecuteDataRow($"concatenated connection string = {query}", ConstantQuery); // Compliant
}
public void NonCompliant_MySqlData(MySqlConnection connection, MySqlTransaction transaction, string query, string param)
{
var command = new MySqlCommand($"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
command = new MySqlCommand($"SELECT * FROM mytable WHERE mycol={param}", connection); // Noncompliant
command = new MySqlCommand($"SELECT * FROM mytable WHERE mycol={param}", connection, transaction); // Noncompliant
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
var adapter = new MySqlDataAdapter($"SELECT * FROM mytable WHERE mycol=" + param, connection); // Noncompliant
MySqlHelper.ExecuteDataRow("connectionString", $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteDataRowAsync("connectionString", $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteDataRowAsync("connectionString", $"SELECT * FROM mytable WHERE mycol={param}", new System.Threading.CancellationToken()); // Noncompliant
MySqlHelper.ExecuteDataset("connectionString", $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteDatasetAsync("connectionString", $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteNonQuery("connectionString", $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteNonQueryAsync(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteReader(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteReaderAsync(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteScalar(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.ExecuteScalarAsync(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
MySqlHelper.UpdateDataSet("connectionString", $"SELECT * FROM mytable WHERE mycol={param}", new DataSet(), "tableName"); // Noncompliant
MySqlHelper.UpdateDataSetAsync("connectionString", $"SELECT * FROM mytable WHERE mycol={param}", new DataSet(), "tableName"); // Noncompliant
var script = new MySqlScript($"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
script = new MySqlScript(connection, $"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
}
public void MicrosoftDataSqliteCompliant(SqliteConnection connection, string query)
{
SqliteCommand command;
command = new SqliteCommand(); // Compliant
command = new SqliteCommand(""); // Compliant
command.CommandText = ConstantQuery; // Compliant
command.CommandText = query; // Compliant
}
public void NonCompliant_MicrosoftDataSqlite(SqliteConnection connection, string query, string param)
{
var command = new SqliteCommand($"SELECT * FROM mytable WHERE mycol={param}", connection); // Noncompliant
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
}
public void SystemDataSqliteCompliant(SQLiteConnection connection, SQLiteTransaction transaction, string query)
{
SQLiteCommand command;
command = new SQLiteCommand(); // Compliant
command = new SQLiteCommand(""); // Compliant
command = new SQLiteCommand(query, connection, transaction); // Compliant
command.CommandText = query; // Compliant
command.CommandText = ConstantQuery; // Compliant
string text;
text = command.CommandText; // Compliant
text = command.CommandText = query; // Compliant
SQLiteCommand.Execute("SELECT * FROM mytable WHERE mycol={param}", SQLiteExecuteType.None, $"connectionString={query}"); // Compliant
}
public void NonCompliant_SystemDataSqlite(SQLiteConnection connection, SQLiteTransaction transaction, string query, string param)
{
var command = new SQLiteCommand($"SELECT * FROM mytable WHERE mycol={param}"); // Noncompliant
command = new SQLiteCommand($"SELECT * FROM mytable WHERE mycol={param}", connection); // Noncompliant
command = new SQLiteCommand($"SELECT * FROM mytable WHERE mycol={param}", connection, transaction); // Noncompliant
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
var adapter = new SQLiteDataAdapter($"SELECT * FROM mytable WHERE mycol=" + param, connection); // Noncompliant
SQLiteCommand.Execute($"SELECT * FROM mytable WHERE mycol={param}", SQLiteExecuteType.None, "connectionString"); // Noncompliant
}
public void ConcatAndStringFormat(SqlConnection connection, string param)
{
SqlCommand command;
string sensitiveQuery = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Secondary [1,2,3,4,5] {{SQL Query is dynamically formatted and assigned to sensitiveQuery.}}
// ^^^^^^^^^^^^^^
command = new SqlCommand(sensitiveQuery); // Noncompliant [1]
command.CommandText = sensitiveQuery; // Noncompliant [2]
string stillSensitive = sensitiveQuery; // Secondary [3] {{SQL query is assigned to stillSensitive.}} ^20#14
command.CommandText = stillSensitive; // Noncompliant [3] ^13#19
string sensitiveConcatQuery = "SELECT * FROM Table1 WHERE col1 = '" + param + "'"; // Secondary [6,7,8] {{SQL Query is dynamically formatted and assigned to sensitiveConcatQuery.}}
command = new SqlCommand(sensitiveConcatQuery); // Noncompliant [6]
command.CommandText = sensitiveConcatQuery; // Noncompliant [7]
string stillSensitiveConcat = sensitiveConcatQuery; // Secondary [8] {{SQL query is assigned to stillSensitiveConcat.}}
command.CommandText = stillSensitiveConcat; // Noncompliant [8]
SqlDataAdapter adapter;
adapter = new SqlDataAdapter(sensitiveQuery, connection); // Noncompliant [4]
command = new SqlCommand("SELECT * FROM Table1 WHERE col1 = '" + param + "'"); // Noncompliant
command.CommandText = "SELECT * FROM Table1 WHERE col1 = '" + param + "'"; // Noncompliant
string x = null;
x = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Secondary [9] {{SQL Query is dynamically formatted and assigned to x.}} ^13#1
command.CommandText = x; // Noncompliant [9]
string y;
y = sensitiveQuery; // Secondary [5] {{SQL query is assigned to y.}} ^13#1
command.CommandText = y; // Noncompliant [5]
}
public void DbCommand_CommandText(DbCommand command, string param)
{
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
}
public void IDbCommand_CommandText(IDbCommand command, string param)
{
command.CommandText = string.Format("INSERT INTO Users (name) VALUES (\"{0}\")", param); // Noncompliant
}
}
}