Fix S2077 FN: SQL Injection Hotspot not triggered using EntityFramework

[mattwatsonad]

Description

When using DataContext.TableName.FromSql("") sql injection hotspots are not being picked up.

Repro steps

[HttpGet("search/{searchTerm}")]
public async Task<IActionResult> DoSearch(string searchTerm)
{
    var result = await DataContext.MyTable
        .FromSql($"Search { searchTerm }")
        .AsNoTracking()
        .ToListAsync();
    return Ok(result);
}

Expected behavior

It should identify that that user-input is being put straight into a string executed as sql, and flag as a hotspot.

Actual behavior

No issues of any kind detected on above snippet

Known workarounds

None

Related information

SonarQube Developer Edition Version 9.3 (build 51899) ASP.NET Core 3.1 C# Project

[costin-zaharia-sonarsource]

Hi @mattwatsonad, thanks for reporting the issue. I can confirm the false negative.

[sebastien-marichal]

Base on the documentation-system-formattablestring)), interpolated string are safe.

Any interpolated parameter values you supply will automatically be converted to a DbParameter

Before closing this issue we need to update the reproduced to remove the // Compliant - FN comments.