Improper Neutralization of special elements used in an SQL command (SQL Injection) Veracode

Question

User1371774763 posted

Hi All,

I am getting SQL Injection flaw at ExecuteNonQuery() method in the below code even though i used parameterized prepared statements to pass SQL query.

My code: 

public DbEngine(string databaseConfigKey)

        {

            string strConnString = getConnectionString(databaseConfigKey);

            switch (provider)

            {

                case DbProvider.DB2:

                    {

                        db2Conn = new DB2Connection(strConnString);

                        break;

                    }

                case DbProvider.ODBC:

                    {

                        dbConn = new OdbcConnection(strConnString);

                        break;

                    }

                case DbProvider.OLE:

                    {

                        dbConn = new OleDbConnection(strConnString);

                        break;

                    }

                case DbProvider.SQL:

                    {

                        dbConn = new SqlConnection(strConnString);

                        break;

                    }

            }

            dbParams = new ArrayList();

            if (provider == DbProvider.DB2)

            {

                string strCreator = Util.GetConfigValue(databaseConfigKey, "Creator");

                string strPath = Util.GetConfigValue(databaseConfigKey, "Path");

                string strSchema = Util.GetConfigValue(databaseConfigKey, "Schema");

                sqlStatement = "";

                if (strCreator != "")

                { sqlStatement += "SET CURRENT SQLID=" + strCreator + ";"; }

             

                if (strPath != "")

                { sqlStatement += "SET CURRENT PATH=" + strPath + ";"; }

                if (strSchema != "")

                { sqlStatement += "SET CURRENT SCHEMA=" + strSchema + ";"; }

                if (sqlStatement != "") ExecuteNonQuery();

            }

            else if (provider == DbProvider.SQL)

            {

                string strCreator = Util.GetConfigValue(databaseConfigKey, "Creator");

                string strPath = Util.GetConfigValue(databaseConfigKey, "Path");

                string strSchema = Util.GetConfigValue(databaseConfigKey, "Schema");

                sqlStatement = "";

                if (strCreator != "")

                { sqlStatement += "SET CURRENT SQLID=" + strCreator + ";"; }

                if (strPath != "")

                { sqlStatement += "SET CURRENT PATH=" + strPath + ";"; }

                if (strSchema != "")

                { sqlStatement += "SET CURRENT SCHEMA=" + strSchema + ";"; }

                if (sqlStatement != "") ExecuteNonQuery();

            }

            queryTimeOut = 180;

            Init();

        }

Code where I am getting SQL Injection flaw:(line is highlated below)

 public int ExecuteNonQuery()

        {

            int returnCode = -1;

            try

            {

                if (provider == DbProvider.DB2)

                {

                    DB2Command db2Cmd = new DB2Command();

                    db2Cmd.Connection = db2Conn;

                    db2Cmd.CommandText = sqlStatement;

                    //db2Cmd.CommandType = sqlType;

                    db2Cmd.Transaction = db2Trans;

                    db2Cmd.CommandTimeout = queryTimeOut;

                    PopulateCmdParameters(db2Cmd.Parameters);

                    if (db2Trans == null) db2Conn.Open();

                    db2Cmd.ExecuteNonQuery();

                }

Answer 1

User753101303 posted

Hi,

Which one? It's best to narrow down the code you post and use the "code sample" button so that it is best formatted.

This kind of tool likely just try to trace back if the string you are running is entirely under your control (such as a constant). I would do a simple test app to better understand how it works if not documented in the product (here I suspect it can't be 100% sure as the string comes from a config file).

Not directly related but have a look at https://docs.microsoft.com/en-us/dotnet/framework/data/adonet/dbproviderfactories

I believe you'll have a schock ;-)

Answer 2

User1371774763 posted

Hi,

Thank you for the response and as suggested i have reduced the code part. Please have a look and mean while referring the link provided.

Answer 3

User753101303 posted

AFAIK this kind of product tries to trace back from where the SqlStatement strings come. Here it might see that at some point you are taking values from a somewhere (your web.config file) so strictly speaking it can't guarantee you don't have a vulnerability through this...

I would try:
string strCreator = "Constant string"; //Util.GetConfigValue(databaseConfigKey, "Creator");
string strPath = "Constant string"; //Util.GetConfigValue(databaseConfigKey, "Path");
string strSchema = "Constant string"; //Util.GetConfigValue(databaseConfigKey, "Schema");

If confirmed you could perhaps mark some methods as being safe. You don't have an explanation in the product about what is the exact check done by this product for this message ?

BTW if they have a forum you might get better help there...