Improper Neutralization of Special Elements in Data Query Logic

scala.inject.scala_inject_rule_awsqueryinjection

Severity

high

Resource

Inject

Language

Scala

Description

Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records.

Rationale

Constructing SimpleDB queries containing user input can allow an attacker to view unauthorized records.

The following code illustrates a vulnerable pattern detected by this rule:

class AWSQueryInjection extends HttpServlet {
  @throws[IOException]
  override def doGet(request: HttpServletRequest, response: HttpServletResponse): Unit = {
    try {
      val customerID = request.getParameter("customerID")
      val awsCredentials = new BasicAWSCredentials("test", "test")
      val sdbc = new AmazonSimpleDBClient(awsCredentials)
      val query = "select * from invoices where customerID = '" + customerID
      // VULNERABLE: Improper Neutralization of Special Elements in Data Query Logic
      val sdbResult = sdbc.select(new SelectRequest(query)) //BAD
      // VULNERABLE: Improper Neutralization of Special Elements in Data Query Logic
      val sdbResult2 = sdbc.select(new SelectRequest(query, false))
      val sdbRequest = new SelectRequest()
      // VULNERABLE: Improper Neutralization of Special Elements in Data Query Logic
      val sdbResult3 = sdbc.select(sdbRequest.withSelectExpression(query))
      val query2 = "select * from invoices where customerID = 123"
      val sdbResult4 = sdbc.select(new SelectRequest(query2)) //OK
    } catch {
      case _: Throwable =>
    }
  }

  def danger(customerID: Nothing, productCategory: Nothing): Unit = {
    val sdbc = AmazonSimpleDBClient.builder.build
    val query = "select * from invoices where productCategory = '" + productCategory + "' and customerID = '" + customerID + "' order by '"
    // VULNERABLE: Improper Neutralization of Special Elements in Data Query Logic
    val sdbResult = sdbc.select(new SelectRequest(query))
  }

  def danger2(customerID: Nothing, productCategory: Nothing): Unit = {
    val sdbc = AmazonSimpleDBClient.builder.build
    val query = "select * from invoices where productCategory = '" + productCategory + "' and customerID = '" + customerID + "' order by '"
    // VULNERABLE: Improper Neutralization of Special Elements in Data Query Logic

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-943
OWASP Top 10 2021 - A03 : Injection.