Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

scala.inject.scala_inject_rule_sqlinjection

Severity

high

Resource

Inject

Language

Scala

Description

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

Rationale

The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.

The following code illustrates a vulnerable pattern detected by this rule:

def testJdoQueries(input: String): Unit = {
  val pm: javax.jdo.PersistenceManager = SqlInjection.getPM
  // VULNERABLE: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  pm.newQuery("select * from Users where name = " + input)
  // VULNERABLE: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  pm.newQuery("sql", "select * from Products where name = " + input)
  // Test for false positive
  pm.newQuery("select * from Config")
  val query = "select * from Config"
  pm.newQuery(query)
  pm.newQuery("sql", query)
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-89
OWASP Top 10 2021 - A1 : Injection.
OWASP Top 10 2021 - A03 : Injection.