Skip to content

semgrep test #78

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

semgrep test #78

wants to merge 1 commit into from

Conversation

@confusedcrib
Copy link
Contributor

@confusedcrib confusedcrib commented Feb 15, 2025

No description provided.

@dryrunsecurity
Copy link

dryrunsecurity bot commented Feb 15, 2025

DryRun Security Summary

The pull request modifies the /games endpoint by adding database functionality but introduces critical security issues, primarily a severe SQL injection vulnerability along with other problems including incorrect table references, poor exception handling, lack of input validation, and potential database connection leaks.

Expand for full summary

This PR modifies the /games endpoint in main.py, adding a query parameter and implementing database retrieval with SQLite. CRITICAL SECURITY VULNERABILITIES detected:

  1. SQL Injection Vulnerability (CRITICAL): Unvalidated user input directly inserted into SQL query in main.py, allowing potential full database manipulation. Attacker can craft malicious queries to access or modify database contents.

  2. Database Table Name Mismatch: SQL query references non-existent tiles table instead of video_games, potentially causing runtime errors and potential information disclosure.

  3. Exception Handling Weakness: Raw exception messages returned, risking internal system information leakage.

  4. Input Validation Failure: No sanitization or validation of query parameter before database interaction.

  5. Potential Database Connection Management Risk: Possible connection leaks if exceptions occur before proper connection closure.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

codacy-production[bot]
codacy-production bot reviewed Feb 15, 2025
View reviewed changes
insecure-api/main.py
conn = sqlite3.connect('videogames.db')
cursor = conn.cursor()
try:
sql_query = f"SELECT * FROM tiles WHERE title = '{query}'"
Copy link

@codacy-production codacy-production bot Feb 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: Possible SQL injection vector through string-based query construction.

The issue identified by the Bandit linter is a potential SQL injection vulnerability. The current code constructs a SQL query by directly interpolating the query variable into the SQL string. This approach can be exploited by an attacker who can manipulate the query parameter to execute arbitrary SQL commands, leading to unauthorized data access or modification.

To fix this issue, you should use parameterized queries, which safely handle user input by separating SQL code from data. This prevents SQL injection attacks.

Here's the suggested code change:

        sql_query = "SELECT * FROM tiles WHERE title = ?"
        cursor.execute(sql_query, (query,))

This comment was generated by an experimental AI tool.

jit-ci[bot]
jit-ci bot reviewed Feb 15, 2025
View reviewed changes
Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Jit has detected 1 important finding in this PR that you should review.
The finding is detailed below as a comment.
It’s highly recommended that you fix this security issue before merge.

insecure-api/main.py
cursor = conn.cursor()
try:
sql_query = f"SELECT * FROM tiles WHERE title = '{query}'"
cursor.execute(sql_query)
Copy link

@jit-ci jit-ci bot Feb 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Python Semgrep

Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection

Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main.py; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jit-ci jit-ci[bot] jit-ci[bot] left review comments

+1 more reviewer

@codacy-production codacy-production[bot] codacy-production[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@confusedcrib