Metastatic.Analysis.BusinessLogic.SQLInjection (Metastatic v0.10.4)

View Source

Detects potential SQL injection vulnerabilities (CWE-89).

This analyzer identifies code patterns where user input or variables are concatenated or interpolated into SQL query strings, which can lead to SQL injection attacks.

Cross-Language Applicability

SQL injection is a universal vulnerability affecting all languages:

  • Python: cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
  • JavaScript: db.query(`SELECT * FROM users WHERE id = ${userId}`)
  • Elixir: Repo.query("SELECT * FROM users WHERE id = " <> id)
  • Ruby: User.where("name = '#{params[:name]}'")
  • PHP: $pdo->query("SELECT * FROM users WHERE id = $id")
  • Java: stmt.executeQuery("SELECT * FROM users WHERE id = " + userId)
  • C#: cmd.CommandText = "SELECT * FROM users WHERE id = " + userId
  • Go: db.Query("SELECT * FROM users WHERE id = " + userId)

Problem

When SQL queries are built by concatenating user-controlled strings:

  • Attackers can inject malicious SQL code
  • Can lead to data theft, modification, or deletion
  • Can bypass authentication
  • Can execute administrative operations

Detection Strategy

Detects patterns where:

  1. SQL keywords (SELECT, INSERT, UPDATE, DELETE, etc.) appear in string literals
  2. Those strings are concatenated with variables or function results
  3. The result flows to database query functions

Examples

Bad (Elixir)

def get_user(id) do
  Repo.query("SELECT * FROM users WHERE id = " <> id)
end

Good (Elixir)

def get_user(id) do
  Repo.query("SELECT * FROM users WHERE id = $1", [id])
end

Bad (Python)

def get_user(user_id):
    cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

Good (Python)

def get_user(user_id):
    cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))