Este producto no es compatible con el sitio Datadog seleccionado. ().
Esta página aún no está disponible en español. Estamos trabajando en su traducción. Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.
This rule detects SQL queries that are constructed by concatenating or interpolating strings with variables. Building queries in this manner makes the application vulnerable to SQL Injection attacks. An attacker could provide malicious input that alters the query’s logic, potentially leading to unauthorized data access, data modification, or execution of arbitrary commands on the database.
To mitigate this vulnerability, use prepared statements with parameterized queries. This practice ensures that user input is treated as data and not as executable code, effectively preventing SQL injection attacks.
Non-Compliant Code Examples
importFoundationfuncfindUserUnsafe(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="SELECT * FROM users WHERE name = '"+userName+"'"// Execute the dangerous query...// execute(queryConcat)}funcfindUserUnsafeMultiline(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="""SELECT * FROM users WHERE name ='"""+userName// Execute the dangerous query...// execute(queryConcat)}funcfindItemUnsafe(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="SELECT * FROM items WHERE owner = '\(owner)'"// Execute the dangerous query...// execute(queryInterpolate)}funcfindItemUnsafeMulti(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="""SELECT * FROM items
WHERE owner = '\(owner)'"""// Execute the dangerous query...// execute(queryInterpolate)}
Compliant Code Examples
importFoundation// Assuming a hypothetical database library that supports parameterized queries.// The syntax is similar to popular libraries like SQLite.swift or FMDB.// A placeholder for a database connection object.classDatabase{funcprepare(_statement:String)->Statement{// In a real implementation, this would compile the SQL statement.returnStatement(sql:statement)}}// A placeholder for a prepared statement object.classStatement{letsql:Stringinit(sql:String){self.sql=sql}// The `run` method would safely bind the parameters and execute the query.funcrun(_bindings:Any...){print("Executing query: \(self.sql) with safe bindings: \(bindings)")}}letdb=Database()// Assume we have a database connection.funcfindUserSafe(withNameuserName:String){//// COMPLIANT: Using a parameterized query// The query string uses a placeholder `?` instead of the actual variable.// The database driver is responsible for safely substituting the `userName`// value for the placeholder, preventing it from being interpreted as SQL code.// This pattern is not flagged by the rule.//letquery="SELECT * FROM users WHERE name = ?"letstatement=db.prepare(query)statement.run(userName)}
Integraciones sin problemas. Prueba Datadog Code Security
Datadog Code Security
Prueba esta regla y analiza tu código con Datadog Code Security
Cómo usar esta regla
1
2
rulesets:- swift-security # Rules to enforce Unknown security.
Crea un static-analysis.datadog.yml con el contenido anterior en la raíz de tu repositorio
Utiliza nuestros complementos del IDE gratuitos o añade análisis de Code Security a tus pipelines de CI.
