codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

C#: Azure Function HttpTrigger SQL Injection is not being detected

Open DavidJFowler opened this issue 1 year ago • 3 comments
trafficstars

Description of the issue

CodeQL scan is not picking up SQL Injection vulnerability in the following Azure Function trigger:

using System.Net;
using Microsoft.Azure.Functions.Worker;
using Microsoft.Azure.Functions.Worker.Http;
using Microsoft.Data.Sqlite;
using Microsoft.Extensions.Logging;
using Dapper;

namespace DavidF.Demo.GithubActions.Functions;

public class HelloWorldFunction
{
    private readonly SqliteConnection _sqliteConnection;
    private readonly ILogger _logger;

    public HelloWorldFunction(ILoggerFactory loggerFactory, SqliteConnection sqliteConnection)
    {
        _sqliteConnection = sqliteConnection;
        _logger = loggerFactory.CreateLogger<HelloWorldFunction>();
    }

    [Function("HelloWorldFunction")]
    public async Task<HttpResponseData> Run([HttpTrigger(AuthorizationLevel.Function, "get", "post")] HttpRequestData req)
    {
        _logger.LogInformation("C# HTTP trigger function processed a request.");

        var sql = $"SELECT * FROM USER WHERE Name = '{req.Query["name"]}'";

        _sqliteConnection.Open();

        var res = await _sqliteConnection.QueryAsync<UserDto>(sql);

        var response = req.CreateResponse(HttpStatusCode.OK);

        await response.WriteAsJsonAsync(res);

        return response;
    }

    public record UserDto(long Id, string Name);
}

Tested in GitHub actions and also locally using CLI:

c:\codeql\codeql.exe database analyze "codeql-db" --format=sarif-latest --output="codeql-output" --threads=0 '..\codeql\csharp\ql\src\Security Features\cwe-089\SqlInjection.ql'

DavidJFowler avatar Dec 14 '23 11:12 DavidJFowler

Thank you for reporting this issue. The reason for not finding the SQL injection is that we don't have any models for Azure Functions, so we don't find the req parameter as a flow source. I created an internal issue to model Azure Function libraries.

tamasvajk avatar Dec 14 '23 14:12 tamasvajk

Hi @tamasvajk,

Is there any update we can provide on the status of Azure Functions?

Thanks!

rvermeulen avatar Oct 15 '24 21:10 rvermeulen

There's no update. We haven't started modeling Azure Functions.

tamasvajk avatar Oct 16 '24 11:10 tamasvajk

Hi! Just wondering if this has been looked into. We have run across a very similar problem where CodeQL has not been able to detect a pretty basic SQL injection in an AzureFunction with an HTTP Trigger.

vinaykkrishnan avatar Aug 28 '25 09:08 vinaykkrishnan

Hi! Just wondering if this has been looked into. We have run across a very similar problem where CodeQL has not been able to detect a pretty basic SQL injection in an AzureFunction with an HTTP Trigger.

There is no work planned for this area at the moment.

michaelnebel avatar Sep 01 '25 06:09 michaelnebel