Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix S2077 FN: Add support for Mono.Data.Sqlite #7261

Closed
loris-s-sonarsource opened this issue May 24, 2023 · 1 comment · Fixed by #7466
Closed

Fix S2077 FN: Add support for Mono.Data.Sqlite #7261

loris-s-sonarsource opened this issue May 24, 2023 · 1 comment · Fixed by #7466
Assignees
@martin-strecker-sonarsource
Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Negative Rule is NOT triggered when it should be.
Milestone
9.5

Comments

@loris-s-sonarsource
Copy link

loris-s-sonarsource commented May 24, 2023
edited by jira bot
Loading

Description

Hey dotnet artists!

While tackling APPSEC-725 for the WebGoat framework, it appeared that we did not support the following two method IDs in this rule:

Mono.Data.Sqlite.SqliteDataAdapter.SqliteDataAdapter(string, Mono.Data.Sqlite.SqliteConnection)
Mono.Data.Sqlite.SqliteCommand.SqliteCommand(string, Mono.Data.Sqlite.SqliteConnection)

Cheers!

Repro steps

This appears in the WebGoat.Net project, in this file: https://github.com/jerryhoff/WebGoat.NET/blob/1c6cab19f9029673cd98ba8624bf9cc91d04bae9/WebGoat/App_Code/DB/SqliteDbProvider.cs.

Here is a reproducer:

using Mono.Data.Sqlite;

namespace Reproducer
{
    public class S2077
    {
        void Reproduce(string connectionString, string query)
        {
            //get data
            string sql = "select * from table where query = '" + query + "';";
            
            using (SqliteConnection connection = new SqliteConnection(connectionString))
            {
                connection.Open();

                SqliteDataAdapter da = new SqliteDataAdapter(sql, connection); // FN: S2077

                SqliteCommand command = new SqliteCommand(sql, connection); // FN: S2077
            }              
        }
    }
}

Related information

  • .Net Framework v3.5
@loris-s-sonarsource loris-s-sonarsource added Type: False Negative Rule is NOT triggered when it should be. Area: C# C# rules related issues. labels May 24, 2023
@pavel-mikula-sonarsource pavel-mikula-sonarsource added the Area: Security Related to Vulnerability and Security Hotspot rules label May 31, 2023
@martin-strecker-sonarsource martin-strecker-sonarsource added this to the 9.5 milestone Jun 16, 2023
@martin-strecker-sonarsource
Copy link
Contributor

The Mono.Data.Sqlite.dll is directly referenced in WebGoat.

https://www.nuget.org/packages/Mono.Data.Sqlite
Is the package we should support in our tests as it contains the right types (SqliteDataAdapter, SqliteConnection, and SqliteCommand from the Mono.Data.Sqlite namespace).

Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@martin-strecker-sonarsource martin-strecker-sonarsource

Labels
Area: C# C# rules related issues. Area: Security Related to Vulnerability and Security Hotspot rules Type: False Negative Rule is NOT triggered when it should be.
Projects
None yet
Milestone
9.5
Development

Successfully merging a pull request may close this issue.

Fix S2077 FN: Add support for Mono.Data.Sqlite SonarSource/sonar-dotnet
4 participants
@Tim-Pohlmann @pavel-mikula-sonarsource @loris-s-sonarsource @martin-strecker-sonarsource