(Sorry, if this is a dumb question....)
Veracode reports my website has a security issue which relates to use connection string from web.config.
Here is my code.
Public Function ExecuteScalar(ByVal sql As String) As Object
Dim obj As Object = Nothing
Try
Dim connStr as String = ConfigurationManager.ConnectionStrings("mydatabase").ConnectionString
Using conn As New SqlConnection(connStr) '''Veracode reports the issue come from this line
conn.Open()
If conn IsNot Nothing Then
'''execute my sql
End If
End Using
Catch ex As Exception
Throw ex
End Try
Return obj
End Function
Veracode said:
This call to system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1() allows external control of system settings. The argument to the function is constructed using user-supplied input, which can disrupt service or cause an application to behave in unexpected ways. The first argument to !newinit_0_1() contains tainted data from the variable connStr. The tainted data originated from earlier calls to system_web_dll.system.web.httprequest.get_item, system_data_dll.system.data.common.dbdataadapter.fill, system_data_dll.system.data.sqlclient.sqlcommand.executescalar, and fmmobile8_dll.virtualcontroller.vc_wcfentry.
Remediation:
Never allow user-supplied or otherwise untrusted data to control system-level settings. Always validate user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
The same isuse was reported by CWE: http://cwe.mitre.org/data/definitions/15.html
OK, the suggestion from Veracode said that I should check the format of connection string before using it to create SqlConnection object.
I also asked Google professor about how to check format of connection string. But the returned results said that we should create SqlConnection object, then open it.
If the response is OK, the connection string also means a valid format. Otherwise, the connection string is invalid.
Unfortunately, Veracode does not accept this answer.
So, my question is that:
Should we check the format of connection string before creating SqlConnection object (as Veracode said)? If yes, how?
The problem is not the format of the connection string, it's that it may be controlled by somebody not intended. For instance an attacker may be able to change your web.config and have your application connect to a fake database to serve fake data. Note that such an attacker might be internal to your organization (a disgruntled IT ops employee), or an external attacker that already gained some level of access.
So the question is whether you trust your web.config file according to your threat model. Probably you do for several reasons (you have good processes to mitigate risks), in which case this would be "mitigated by design" in Veracode terms.
Basically it's just a warning to raise attention that web.config is in a sense external to your application and can be changed by more people than you would initially think of, and changing it by unintended people may lead to unwanted results.