Skip to content

Commit 2b51e03

Browse files
michaelnebelmichaelnebel
committed
C#: Add SecondOrder SQL injection example, where reading from a file.
1 parent 1e7e49a commit 2b51e03

File tree

2 files changed

+32
-5
lines changed

2 files changed

+32
-5
lines changed

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.cs

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,14 @@
44
namespace Test
55
{
66

7+
using System.Data.SQLite;
8+
using System.IO;
9+
using System.Text;
10+
711
class SecondOrderSqlInjection
812
{
913

10-
public void processRequest()
14+
public void ProcessRequest()
1115
{
1216
using (SqlConnection connection = new SqlConnection(""))
1317
{
@@ -23,5 +27,28 @@ public void processRequest()
2327
customerReader.Close();
2428
}
2529
}
30+
31+
public void RunSQLFromFile()
32+
{
33+
using (FileStream fs = new FileStream("myfile.txt", FileMode.Open))
34+
{
35+
using (StreamReader sr = new StreamReader(fs, Encoding.UTF8))
36+
{
37+
var sql = String.Empty;
38+
while ((sql = sr.ReadLine()) != null)
39+
{
40+
sql = sql.Trim();
41+
if (sql.StartsWith("--"))
42+
continue;
43+
using (var connection = new SQLiteConnection(""))
44+
{
45+
var cmd = new SQLiteCommand(sql, connection);
46+
cmd.ExecuteScalar();
47+
}
48+
}
49+
}
50+
}
51+
}
52+
2653
}
2754
}

csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,8 @@
11
edges
2-
| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString : String | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... |
2+
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... |
33
nodes
4-
| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | semmle.label | ... + ... |
5-
| SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString : String | semmle.label | call to method GetString : String |
4+
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | semmle.label | ... + ... |
5+
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | semmle.label | call to method GetString : String |
66
subpaths
77
#select
8-
| SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString : String | SecondOrderSqlInjection.cs:21:71:21:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:21:119:21:145 | call to method GetString | Stored user-provided value |
8+
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | $@ flows to here and is used in an SQL query. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | Stored user-provided value |

0 commit comments

Comments
 (0)