Skip to content

Semgrep 2 #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
confusedcrib wants to merge 3 commits into from
Closed

Semgrep 2 #84

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7834198
update reqs
confusedcrib Jan 30, 2025
97ec491
testing
confusedcrib Feb 14, 2025
a53589a
add vuln
confusedcrib Feb 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
add vuln
  • Loading branch information
@confusedcrib
confusedcrib committed Feb 15, 2025
commit a53589ae67e1029cd632a301ec9c8900283faded
13 changes: 12 additions & 1 deletion insecure-api/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,18 @@ def startup_event():

# Public endpoint to get basic video game info
@app.get("/games")
def get_games():
def get_games(query: str):
conn = sqlite3.connect('videogames.db')
cursor = conn.cursor()
try:
sql_query = f"SELECT * FROM tiles WHERE title = '{query}'"
cursor.execute(sql_query)
Copy link

@jit-ci jit-ci bot Feb 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Python Semgrep

Sqlalchemy Raw Sql Query Concatenation Risks Sql Injection

Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_ignore_type_in_file Ignore any finding of type "SQLAlchemy raw SQL query concatenation risks SQL Injection" in insecure-api/main.py; future occurrences will also be ignored.
  • #jit_undo_ignore Undo ignore command

video_games = cursor.fetchall()
except Exception as e:
# Return the exception message for educational purposes (not recommended in production)
return {"error": str(e)}
finally:
conn.close()
return video_games

# Vulnerable endpoint: No authentication required to get sensitive sales data
Expand Down
5 changes: 2 additions & 3 deletions insecure-js/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ const server = http.createServer((req, res) => {
// Direct SQL Injection via Sequelize
if (postData.orderNumber) {
const index = responseMessages.length;
responseMessages.push(`<h3>1. Sequelize Injection</h3>`); // Add header immediately
responseMessages.push(`<h3>1. Sequelize Injection</h3>`);
asyncTasks.push(
(async () => {
try {
Expand All @@ -124,8 +124,7 @@ const server = http.createServer((req, res) => {
// Direct SQL Injection via sqlite3
if (postData.orderNumber2) {
const index = responseMessages.length;
responseMessages.push(`<h3>2. SQLite Injection</h3>`); // Add header immediately
asyncTasks.push(
responseMessages.push(`<h3>2. SQLite Injection</h3>`);
new Promise((resolve) => {
const query = `SELECT product FROM Orders WHERE orderNumber = ${postData.orderNumber2};`;
db.all(query, [], (err, rows) => {
Expand Down
Loading