var rname = new SQLiteCommand(taintedQuery, dbConnection).ExecuteScalar();will be blocked by RaspModule.runWaf on execution and throw BlockException.
However, since the user code uses catch (Exception ex) to catch all exceptions without rethrowing them, it causes BlockingMiddleware to fail to catch and forward BlockException
[HttpGet("SqlQuery")]
[Route("SqlQuery/{username}")]
public IActionResult SqlQuery(string username, string query)
{
try
{
if (dbConnection is null)
{
dbConnection = IastControllerHelper.CreateDatabase();
}
if (!string.IsNullOrEmpty(username))
{
var taintedQuery = CreateTaintedQuery(username);
var rname = new SQLiteCommand(taintedQuery, dbConnection).ExecuteScalar();
return Content($"Result: " + rname);
}
if (!string.IsNullOrEmpty(query))
{
var rname = new SQLiteCommand(query, dbConnection).ExecuteScalar();
return Content($"Result: " + rname);
}
}
catch (Exception ex)
{
return StatusCode(500, IastControllerHelper.ToFormattedString(ex));
}
return BadRequest("No username was provided");
}
var rname = new SQLiteCommand(taintedQuery, dbConnection).ExecuteScalar();
will be blocked byRaspModule.runWaf
on execution and throwBlockException
.However, since the user code uses
catch (Exception ex)
to catch all exceptions without rethrowing them, it causesBlockingMiddleware
to fail to catch and forward BlockException