-
Notifications
You must be signed in to change notification settings - Fork 29
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create rule S5147(C#): NoSQL operations should not be vulnerable to i…
…njection attacks APPSEC-2024 (#4165) * Add csharp to rule S5147 * Add the text * Fixed filename * Apply suggestions from code review Co-authored-by: Hendrik Buchwald <[email protected]> * Apply suggestions from code review * Update rules/S5147/csharp/how-to-fix-it/mongodb-csharp-driver.adoc * Update rules/S5147/common/fix/builder-pattern.adoc Co-authored-by: Hendrik Buchwald <[email protected]> --------- Co-authored-by: loris-s-sonarsource <[email protected]> Co-authored-by: Loris Sierra <[email protected]> Co-authored-by: Loris S. <[email protected]> Co-authored-by: Hendrik Buchwald <[email protected]>
- Loading branch information
1 parent
dc51692
commit 504835d
Showing
4 changed files
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
==== Use safe builder patterns | ||
|
||
Generally, database queries also accept builder patterns to build queries. This | ||
is a safe way to build queries as it ensures that the query is built correctly | ||
and is safe from injection attacks because it does not require you to ensure | ||
that the query is built correctly. | ||
|
||
For example, using a `.where()` function instead of a string and `$where` will | ||
help avoid an injection attack. |
77 changes: 77 additions & 0 deletions
77
rules/S5147/csharp/how-to-fix-it/mongodb-csharp-driver.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
== How to fix it in MongoDB | ||
|
||
=== Code examples | ||
|
||
The following code is vulnerable to NoSQL injections because untrusted data is | ||
used to find data in a database. | ||
Such cases can be encountered when client-side code crafts the query, such as | ||
``++[{ '$match': { 'Username': 'John Doe' } }]++``. | ||
|
||
Note that `Find` and `FindAsync` are not the only constructs whose input should be | ||
verified. Multiple | ||
https://mongodb.github.io/mongo-csharp-driver/2.4/reference/driver/definitions/[definitions] | ||
can be built from a string and allow attackers to leak or tamper with data. | ||
|
||
==== Noncompliant code example | ||
|
||
[source,csharp,diff-id=1,diff-type=noncompliant] | ||
---- | ||
using MongoDB.Driver; | ||
using MongoDB.Bson; | ||
[ApiController] | ||
[Route("Example")] | ||
public class ExampleController: ControllerBase | ||
{ | ||
private string connectionString; | ||
[Route("Example")] | ||
public async Task<string> Example() | ||
{ | ||
var client = new MongoClient(connectionString); | ||
var database = client.GetDatabase("example"); | ||
var collection = database.GetCollection<Message>("messages"); | ||
var filterDefinition = Request.Query["filterDefinition"]; | ||
await collection.FindAsync(filter) | ||
} | ||
} | ||
---- | ||
|
||
==== Compliant solution | ||
|
||
[source,csharp,diff-id=1,diff-type=compliant] | ||
---- | ||
using MongoDB.Driver; | ||
using MongoDB.Bson; | ||
[ApiController] | ||
[Route("Example")] | ||
public class ExampleController: ControllerBase | ||
{ | ||
private string connectionString; | ||
[Route("Example")] | ||
public async Task<string> Example() | ||
{ | ||
var client = new MongoClient(connectionString); | ||
var database = client.GetDatabase("example"); | ||
var collection = database.GetCollection<Message>("messages"); | ||
var filterDefinition = Builders<BsonDocument>.Filter.Eq("Username", "Example"); | ||
await collection.FindAsync(filter) | ||
} | ||
} | ||
---- | ||
|
||
=== How does this work? | ||
|
||
include::../../common/fix/builder-pattern.adoc[] | ||
|
||
If using a builder pattern is not possible, follow the instructions below: | ||
|
||
include::../../common/fix/pre-approved-list.adoc[] | ||
|
||
include::../../common/fix/dangerous-operators.adoc[] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
{ | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
== Why is this an issue? | ||
|
||
include::../rationale.adoc[] | ||
|
||
include::../impact.adoc[] | ||
|
||
include::how-to-fix-it/mongodb-csharp-driver.adoc[] | ||
|
||
== Resources | ||
|
||
include::../common/resources/articles.adoc[] | ||
|
||
include::../common/resources/standards.adoc[] | ||
|
||
ifdef::env-github,rspecator-view[] | ||
|
||
''' | ||
== Implementation Specification | ||
(visible only on this page) | ||
|
||
include::../message.adoc[] | ||
|
||
include::../highlighting.adoc[] | ||
|
||
''' | ||
|
||
endif::env-github,rspecator-view[] |