question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SQL Injection flagged when concatenating strings

See original GitHub issue

Describe the bug

It seems that when concatenating strings in a cur.execute() call, it flags up sql injection possibilities, even though all the string arguments are being passed into the execute() call. So, this looks safe to me.

Reproduction steps

See the # noqa: S608 lines in this file: https://github.com/aio-libs/aiohttp-session/blob/master/examples/postgres_storage.py#L68-L72

Expected behavior

No errors from concatenating string literals.

Bandit version

1.7.0 (Default)

Python version

3.7

Additional context

No response

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:6

github_iconTop GitHub Comments

3reactions
Dreamsorcerercommented, Sep 29, 2021

No, the use of a variable in the string is a possible vulnerability.

Concatenating string literals is not a vulnerability.

If the program is checking purely for concatenation, then it is wrong, hence why this is a bug report.

0reactions
lukegilcommented, Oct 5, 2021

Using the initial example provided by @Dreamsorcerer , it appears to have been introduced in the 1.6.3 release. The example passes in 1.6.2. Not quite sure what would have changed, since that mainly appears to have been a documentation release

Read more comments on GitHub >

github_iconTop Results From Across the Web

Is SQL Injection possible in String Concatenation When all ...
No. Should you change it anyway? Probably. If you are putting variables in an SQL query then you should use prepared queries. They...
Read more >
Why is concatenating SQL strings a bad idea? - Stack Overflow
Short answer: building queries by concatenating strings usually allows SQL injection. Imagine that someone tries to create a user with the ...
Read more >
How to fix CWE 89 SQL Injection flaws? - Veracode Community
With this design, The SQL Injection CWE 89 flaw will be flagged only on the SQLHelper.executeSqlQuery() and SQLHelper.executeSqlUpdate() and not ...
Read more >
Errors flagged on SQL fragments : WI-7531 - YouTrack
WI-18915 Extend future multi-injection features for concatenated strings to ... If I'm using string-building to make an SQL statement, it's often flagged as ......
Read more >
SQL Injection not detected when query is a result of joining ...
joining function. This will be properly flagged as security hotspot: public void testSqlInjection_A(String input) { try (Connection conn = ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found