Search code examples
c#connection-stringveracodedatabase-connectionsecure-coding

External Control of System or Configuration Setting (CWE ID 15)

We had security threat issue when scanning applications in Veracode. Got "External Control of System or Configuration Setting (CWE ID 15)".

Scan reported for using (var connection = new SqlConnection(connectionString))

we are checking whether "SQLConnectionExists" by passing connection string,

string sqlConnString = SqlHelper.GetSQLConnectionString(input.ServerName, dbName, isWinAuth, input.UserName, input.Password);
if (!DBUtil.CheckSQLConnectionExists(sqlConnString))
{
_ValidationMessage += "Database Unreachable \n";
isValid = false;
}

public static bool CheckSQLConnectionExists(string connectionString)
        {
            bool isExist = false;
            try
            {
                using (var connection = new SqlConnection(connectionString))
                {
                    connection.Open();
                    connection.Close();
                    isExist = true;
                }
            }
            catch (Exception ex)
            {
                Logger.Instance.Log(LogLevel.EXCEPTION, "CheckSQLConnectionExists Exception : " + ex.Message);
            }
            return isExist;
        }

public static string GetSQLConnectionString(string servername, string db, bool isWinAuth, string username, string password)
        {
            System.Data.SqlClient.SqlConnectionStringBuilder builder = new System.Data.SqlClient.SqlConnectionStringBuilder();
            builder["Data Source"] = servername;
            builder["Initial Catalog"] = db;

            if (isWinAuth)
            {
                builder["Integrated Security"] = "SSPI";
                builder["Trusted_Connection"] = "Yes";
            }
            else
            {
                builder["Persist Security Info"] = false;
                builder["User ID"] = username;
                builder["Password"] = password;
            }

            return builder.ConnectionString;
        }

In this line using (var connection = new SqlConnection(connectionString)) we got error in security scan. Could you please some one provide suggestions to resolve this Veracode error.

Solution

  • Veracode detects input.ServerName, input.UserName and input.Password to be user-controlled which is a risk.

    Ensure validation is implemented - if possible, compare against a whitelist or known predefined server names. Also, check if the entered (injected) Min Pool Size is larger than expected. Use framework classes such as the one that you used SqlConnectionStringBuilder

    Propose this check as a mitigation afterwards.