I have started to use SonarQube for static analysis. It reports me quite a lot SQL injection vulnerabilities but it looks to be false positive finding.
Let's say that there needs to be run procedure on the database. Procedure name is taken from configuration.
SonarQube is reporting:
Make sure to sanitize the parameters of this SQL command.
Example code:
using (SqlCommand cmd = new SqlCommand(procName, Connection))
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add(new SqlParameter("@param", SqlDbType.NVarChar, 32)).Value = record;
using (SqlDataReader dr = cmd.ExecuteReader())
{
}
}
Can there be any sql injection just on procedure name? Does the name need to be sanitized?
I admit that the implementation of S3649 is not the smartest, it will raise issues if you pass a non-constant string to the CommandText property of SqlCommand, or the corresponding ctor argument.
If you are sure that the value of CommandText is not coming from a potentially exploitable source, e.g. query string parameter for example, the best way to handle this particular issue would be to mark it as Won't Fix in SonarQube. If you are also using SonarLint in Connected Mode for this project, it will automatically suppress the issue from showing up in the IDE.
On the other hand, if the value could come from an exploitable source, such as query string parameter, request body, cookie, header, etc. setting CommandType = StoredProcedure could still not be enough to prevent an attacker from executing a different stored procedure on your database than what you intended... In such case it could probably be better if you create separate wrapper methods for the stored procedures you have, thus preventing the potential attackers from selecting a different SP to execute.