search

pixee / codemodder-java

a framework for building java codemods
https://codemodder.io
GNU Affero General Public License v3.0
37 stars 6 forks source link

Investigate SQL parameterizer cases #303

Closed nahsra closed 5 months ago

nahsra commented 6 months ago

These locations are reported by a scanner as being vulnerable to SQLi for WebGoat 8.2.3. We should investigate if any of these offer opportunities for improvement of our fix logic.

org.owasp.webgoat.container.users.UserService:52 org.owasp.webgoat.lessons.challenges.challenge5.Assignment5:59 org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionChallenge:69 org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionLesson6a:74 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson10:71 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson2:65 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson3:63 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson4:62 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson5a:67 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson5b:65 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson8:78 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson8:158 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson9:76 org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson9:76 org.owasp.webgoat.lessons.sqlinjection.mitigation.Servers:72

andrecsilva commented 5 months ago

These were correctly being parameterized.

org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson8:158
org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionChallenge:69

After PRs #319 and #324, the examples below are now being parameterized.

org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson10:71
org.owasp.webgoat.lessons.sqlinjection.advanced.SqlInjectionLesson6a:74
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson5a:67
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson8:78
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson9:76

In the following, the query is not contained within the file. That does not mean no injection can happen, but our codemods are limited to a single-file context.

org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson4:62
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson2:65
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson3:63

The next one is an injection in the order by part of the query. Those cannot be fixed by parameterization and usually requires data validation for fixing the exploit. This is usually done with a whitelist of possible inputs (column names in this case). Since this requires business logic knowledge, it is a poor candidate for a codemod. 

org.owasp.webgoat.lessons.sqlinjection.mitigation.Servers:72

The one below uses Spring's JdbcTemplate API for executing the query. We don't currently support this API.

org.owasp.webgoat.container.users.UserService:52

These use a PreparedStatement with injections. I can make the codemod support this, but those feel a bit artificial. If you're using PreparedStatement, chances are that you know about injections and are correctly parameterizing. The second one does not enclose the string literals with quotes, which makes detection quite harder.

org.owasp.webgoat.lessons.challenges.challenge5.Assignment5:59
org.owasp.webgoat.lessons.sqlinjection.introduction.SqlInjectionLesson5b:65