This rule detects SQL queries that are constructed by concatenating or interpolating strings with variables. Building queries in this manner makes the application vulnerable to SQL Injection attacks. An attacker could provide malicious input that alters the query’s logic, potentially leading to unauthorized data access, data modification, or execution of arbitrary commands on the database.
To mitigate this vulnerability, use prepared statements with parameterized queries. This practice ensures that user input is treated as data and not as executable code, effectively preventing SQL injection attacks.
Non-Compliant Code Examples
importFoundationfuncfindUserUnsafe(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="SELECT * FROM users WHERE name = '"+userName+"'"// Execute the dangerous query...// execute(queryConcat)}funcfindUserUnsafeMultiline(withNameuserName:String){//// NON-COMPLIANT: String concatenation// This query is built by joining a string literal containing a SQL keyword// with a variable. This will be flagged by the rule.//letqueryConcat="""SELECT * FROM users WHERE name ='"""+userName// Execute the dangerous query...// execute(queryConcat)}funcfindItemUnsafe(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="SELECT * FROM items WHERE owner = '\(owner)'"// Execute the dangerous query...// execute(queryInterpolate)}funcfindItemUnsafeMulti(ownedByowner:String){//// NON-COMPLIANT: String interpolation// This query uses Swift's string interpolation feature `\()` to embed// the variable directly into the string. The rule detects the interpolation// within a string that also contains a SQL keyword.//letqueryInterpolate="""SELECT * FROM items
WHERE owner = '\(owner)'"""// Execute the dangerous query...// execute(queryInterpolate)}
Compliant Code Examples
importFoundation// Assuming a hypothetical database library that supports parameterized queries.// The syntax is similar to popular libraries like SQLite.swift or FMDB.// A placeholder for a database connection object.classDatabase{funcprepare(_statement:String)->Statement{// In a real implementation, this would compile the SQL statement.returnStatement(sql:statement)}}// A placeholder for a prepared statement object.classStatement{letsql:Stringinit(sql:String){self.sql=sql}// The `run` method would safely bind the parameters and execute the query.funcrun(_bindings:Any...){print("Executing query: \(self.sql) with safe bindings: \(bindings)")}}letdb=Database()// Assume we have a database connection.funcfindUserSafe(withNameuserName:String){//// COMPLIANT: Using a parameterized query// The query string uses a placeholder `?` instead of the actual variable.// The database driver is responsible for safely substituting the `userName`// value for the placeholder, preventing it from being interpreted as SQL code.// This pattern is not flagged by the rule.//letquery="SELECT * FROM users WHERE name = ?"letstatement=db.prepare(query)statement.run(userName)}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- swift-security # Rules to enforce Unknown security.
