Unsanitized user input in SQL query

• Rule ID: javascript_lang_sql_injection
• Languages: javascript
• Source: sql_injection.yml

Description

Including unsanitized data, such as user input or request data, in raw SQL queries makes your application vulnerable to SQL injection attacks.

Remediations

❌ Avoid raw queries, especially those that contain unsanitized user input

  var sqlite = new Sequelize("sqlite::memory:");
  sqlite.query("SELECT * FROM users WHERE ID = " + req.params.userId);

Instead, consider the following approaches when writing SQL queries

✅ Validate query input wherever possible

  var rawId = req.params.userId
  if !(/[0-9]+/.test(rawId)) {
    // input is unexpected; don't make the query
  }

✅ Use prepared (or parameterized) statements when querying

Sequelize example -

  var sqlite = new Sequelize("sqlite::memory:");
  sqlite.query(
    "SELECT * FROM users WHERE ID = ?",
    { replacements: [req.params.userId] },
    type: sequelize.QueryTypes.SELECT
  )

Resources

• OWASP SQL injection explained
• OWASP SQL injection prevention cheat sheet

Associated CWE

• CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

OWASP Top 10

• A03:2021 - Injection

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=javascript_lang_sql_injection

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=javascript_lang_sql_injection