SQL Injection via RawSQL
Description
SQL Injections are a critical type of vulnerability that can lead to data or system compromise. By dynamically generating SQL query strings, user input may be able to influence the logic of the SQL statement. This could lead to an adversary accessing information they should not have access to, or in some circumstances, being able to execute OS functionality or code.
Examples
Insecure Code
python
DBObject.objects.all().annotate(val=RawSQL(sql="select id from some_secondary_table where id='" + user_supplied_id + "'"))Secure Code
python
DBObject.objects.all().annotate(val=RawSQL(sql="select id from some_secondary_table where id=%s", params=[user_supplied_id]))Remediation
Replace all dynamically generated SQL queries with parameterized queries. Use other QuerySet methods to achieve the same goals. If using RawSQL, ensure calls including user-supplied data pass it in to the params parameter.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0180 |
| Category | Injection |
| Severity | CRITICAL |
| CWE | CWE-89 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | HIGH |
| Exploitability | EASY |
| Tags | sql injection, rawsql |
| OWASP | A1:2017-Injection, A03:2021-Injection |