-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Express "tainted-sql-injection" is too broad in the strings it matches #2898
Comments
Hey @ollien, thanks for filing this issue. I don't think we can really do that with the current state of Semgrep unfortunately. |
There was an update to this rule yesterday (Apr 29th 2024), and after that we are also running into this rule being too broad.
If I change the word "create" in the message to "make" it doesn't throw |
Describe the bug
Using the rule
javascript.express.security.injection.tainted-sql-string.tainted-sql-string
, even simple log statements regarding the action taking place are matched. This is often problematic when commonly logged verbs are used which happen to coincide with the SQL verbs (Update, delete, etc...)To Reproduce
Because the log statement in the delete route contains the word "delete", it is assumed to be SQL, which it obviously isn't, and trips the warning.
Expected behavior
I would expect this to be more careful about what strings are actually matched. I don't know what would be required to do this, since implementing a SQL parser for something like this is overkill, but perhaps some kind of heuristic based on where the string is used would work.
Priority
How important is this to you?
Screenshots
N/A
Desktop (please complete the following information):
N/A
Smartphone (please complete the following information):
N/A
Additional context
I was able to reproduce in the playground with Semgrep v1.20.0
The text was updated successfully, but these errors were encountered: