>/i SrSSKrSSKrSSKrSSKJr SSKJr SSKJr \R"S\R\R-5r Sr Sr\R"S 5\R "S 5S 55rg) ab ============================ B608: Test for SQL injection ============================ An SQL injection attack consists of insertion or "injection" of a SQL query via the input data given to an application. It is a very common attack vector. This plugin test looks for strings that resemble SQL statements that are involved in some form of string building operation. For example: - "SELECT %s FROM derp;" % var - "SELECT thing FROM " + tab - "SELECT " + val + " FROM " + tab + ... - "SELECT {} FROM derp;".format(var) - f"SELECT foo FROM bar WHERE id = {product}" Unless care is taken to sanitize and control the input data when building such SQL statement strings, an injection attack becomes possible. If strings of this nature are discovered, a LOW confidence issue is reported. In order to boost result confidence, this plugin test will also check to see if the discovered string is in use with standard Python DBAPI calls `execute` or `executemany`. If so, a MEDIUM issue is reported. For example: - cursor.execute("SELECT %s FROM derp;" % var) Use of str.replace in the string construction can also be dangerous. For example: - "SELECT * FROM foo WHERE id = '[VALUE]'".replace("[VALUE]", identifier) However, such cases are always reported with LOW confidence to compensate for false positives, since valid uses of str.replace can be common. :Example: .. code-block:: none >> Issue: Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) Location: ./examples/sql_statements.py:4 3 query = "DELETE FROM foo WHERE id = '%s'" % identifier 4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier 5 .. seealso:: - https://www.owasp.org/index.php/SQL_Injection - https://security.openstack.org/guidelines/dg_parameterize-database-queries.html - https://cwe.mitre.org/data/definitions/89.html .. versionadded:: 0.9.0 .. versionchanged:: 1.7.3 CWE information added .. versionchanged:: 1.7.7 Flag when str.replace is used in the string construction N)issue)test_properties)utilszL(select\s.*from\s|delete\s+from\s|insert\s+into\s.*values\s|update\s.*set\s)c0[RU5SL$)N) SIMPLE_SQL_REsearch)datas V/home/james-whalen/.local/lib/python3.13/site-packages/bandit/plugins/injection_sql.py _check_stringr Ss    %T 11cSnSnSn[UR[R5(a6[R "XR5nUSRnUSnGO[UR[R 5(adURRS;aJURnURRRnURRS:XaSnGO[[S5(a[UR[R5(aURRVs/sHGn[U[R5(dM$[UR[5(dMEUPMI nnU(aSXS:XaKSRUVs/sHn[UR5PM sn5nURRn[U[R5(a S S /n[R "U5nX;X#4$SX#4$s snfs snf) NFr)formatreplacerT JoinedStrexecute executemany) isinstance_bandit_parentastBinOpr concat_string AttributeattrvaluehasattrrvaluesConstantstrjoinCallget_called_name) nodewrapper statement str_replaceoutchild substringsnamesnames r _evaluate_astr-WsGIK$%%syy11!!$(;(;<a&''F  S]]      " "&; ;JJ %%44CC    # #y 0K k " "z S]](( ,,33 3%. 3=ekk33O 3   $Q-/z JzeU[[!1z JKI))88G'388$$M*$$W- y66y..% !Ks #H60H6H67H;StrB608c&[UR5upn[U5(ai[R"[R U(aU(d[R O[R [RRSS9$g)NzFPossible SQL injection vector through string-based query construction.)severity confidencecwetext) r-r$r banditIssueMEDIUMLOWrCwe SQL_INJECTION)context execute_callr&r's r hardcoded_sql_expressionsr=sh,9+F(L[Y||]]  ZZ ''"   r )__doc__rrer5 bandit.corerrtestrcompile IGNORECASEDOTALLrr r-checkstest_idr=r r rHs} <z / MMBII  2&/RUf    r