Potential fix for code scanning alert no. 75: SQL query built from user-controlled sources #53
+8
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…er-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| command.CommandText = sql; |
Check failure
Code scanning / CodeQL
SQL query built from user-controlled sources High
There was a problem hiding this comment.
This automated suggestion is way off.
I will use this branch however to remove the direct path for string concatenation. I believe in the commit that was intended to address this, there is already some checking that the values passed are valid based on model configuration. Here I will go a step further and look the values up, and concatenate them the value returned from various dictionaries or lists (they should after all be the same value). In the absence of the values available, will error it out.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/jube-home/jube/security/code-scanning/75
To fix the problem, we should use parameterized queries for the entire SQL statement, not just the values. This involves restructuring the code to avoid direct concatenation of user inputs into the SQL query. Instead, we should use placeholders for all parts of the query that are influenced by user input and then bind the actual values to these placeholders.
In the
PrepareAsyncmethod, we will modify the SQL query to use named parameters and bind the corresponding values from theparameterslist. This will ensure that the SQL query is safe from injection attacks.Suggested fixes powered by Copilot Autofix. Review carefully before merging.