C#: Azure Function HttpTrigger SQL Injection is not being detected

[DavidJFowler]

Description of the issue

CodeQL scan is not picking up SQL Injection vulnerability in the following Azure Function trigger:

using System.Net;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Http;
using Microsoft.Data.Sqlite;
using Microsoft.Extensions.Logging;
using Dapper;

namespace DavidF.Demo.GithubActions.Functions;

public class HelloWorldFunction
{
    private readonly SqliteConnection _sqliteConnection;
    private readonly ILogger _logger;

    public HelloWorldFunction(ILoggerFactory loggerFactory, SqliteConnection sqliteConnection)
    {
        _sqliteConnection = sqliteConnection;
        _logger = loggerFactory.CreateLogger<HelloWorldFunction>();
    }

    [Function("HelloWorldFunction")]
    public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequestData req)
    {
        _logger.LogInformation("C# HTTP trigger function processed a request.");

        var sql = $"SELECT * FROM USER WHERE Name = '{req.Query["name"]}'";

        _sqliteConnection.Open();

        var res = await _sqliteConnection.QueryAsync<UserDto>(sql);

        var response = req.CreateResponse(HttpStatusCode.OK);

        await response.WriteAsJsonAsync(res);

        return response;
    }

    public record UserDto(long Id, string Name);
}

Tested in GitHub actions and also locally using CLI:

c:\codeql\codeql.exe database analyze "codeql-db" --format=sarif-latest --output="codeql-output" --threads=0 '..\codeql\csharp\ql\src\Security Features\cwe-089\SqlInjection.ql'

[tamasvajk]

Thank you for reporting this issue. The reason for not finding the SQL injection is that we don't have any models for Azure Functions, so we don't find the req parameter as a flow source. I created an internal issue to model Azure Function libraries.