C#: Add cs/sql-injection tests for APIs in Microsoft.Data.SqlClient.

michaelnebel · michaelnebel · commit eef6daa4a3b1 · 2025-06-25T14:34:19.000+02:00
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.cs
@@ -0,0 +1,42 @@
+using System;
+
+namespace System.Web.UI.WebControls
+{
+    public class TextBox { public string Text { get; set; } }
+}
+
+namespace Test
+{
+    using Microsoft.Data;
+    using Microsoft.Data.SqlClient;
+    using System.Web.UI.WebControls;
+
+    class SqlInjection
+    {
+        TextBox categoryTextBox;
+        string connectionString;
+
+        public void MakeSqlCommand()
+        {
+            // BAD: Text from a local textbox
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + box1.Text + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+
+            // BAD: Input from the command line.
+            using (var connection = new SqlConnection(connectionString))
+            {
+                var queryString = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                  + Console.ReadLine() + "' ORDER BY PRICE"; // $ Source[cs/sql-injection]
+                var cmd = new SqlCommand(queryString); // $ Alert[cs/sql-injection]
+                var adapter = new SqlDataAdapter(cmd); // $ Alert[cs/sql-injection]
+            }
+        }
+
+        System.Windows.Forms.TextBox box1;
+    }
+}
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.ext.yml
@@ -0,0 +1,7 @@
+extensions:
+
+  - addsTo:
+      pack: codeql/threat-models
+      extensible: threatModelConfiguration
+    data:
+      - ["local", true, 0]
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref b/csharp/ql/test/query-tests/Security Features/CWE-089-2/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: Security Features/CWE-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/csharp/ql/test/query-tests/Security Features/CWE-089-2/options b/csharp/ql/test/query-tests/Security Features/CWE-089-2/options
@@ -0,0 +1,4 @@
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Microsoft.Data.SqlClient/6.0.2/Microsoft.Data.SqlClient.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
