-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
chore(detectors): Add page for Query Injection Issues #14209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
roggenkemper
wants to merge
3
commits into
master
Choose a base branch
from
roggenkemper/queryinjectionissue
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+38
−0
Open
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
38 changes: 38 additions & 0 deletions
38
docs/product/issues/issue-details/query-injection-issues/index.mdx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: "Potential Query Injection Vulnerability Issues" | ||
| sidebar_order: 50 | ||
| description: "Learn more about Potential Query Injection Vulnerability issues and how to diagnose and fix them." | ||
| --- | ||
|
|
||
| Potential Query Injection Vulnerability issues are raised when Sentry detects values taken directly from an incoming request being incorporated into a database query. Unsanitized interpolation of user input can lead to [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) and related attacks. | ||
|
|
||
| ## Detection Criteria | ||
|
|
||
| The detector evaluates each request in **two stages**: | ||
|
|
||
| 1. **Filter request values** – Discards tokens that are: | ||
|
|
||
| - too short, | ||
| - SQL keywords, or | ||
| - other frequently benign values | ||
|
|
||
| 2. **Match against queries** – Scans database queries and if **both** a payload key _and_ its value appear in the same query, Sentry creates a Potential Query Injection Vulnerability issue. | ||
|
|
||
| ### Example | ||
|
|
||
| ``` | ||
| Request → GET /api?username=bob | ||
| Query → SELECT * FROM users WHERE username = 'bob' | ||
| ``` | ||
|
|
||
| Because the value `'bob'` is inserted directly from the `username` parameter into the query, Sentry flags the operation as potentially vulnerable. **An issue indicates a security _risk_, not a confirmation that an exploit has already occurred.** | ||
|
|
||
| ### False Positives | ||
|
|
||
| Some ORMs or query‑builder libraries assemble SQL strings internally before parameterizing them. We automatically suppress many known libraries, but unrecognized ones may still trigger the detector. If you believe an issue is a false positive, leave feedback on the issue page. | ||
|
|
||
| ## Remediation | ||
|
|
||
| - Use **parameterised queries / prepared statements** instead of string concatenation. | ||
| - **Validate and sanitise** all external input. | ||
| - Avoid **raw queries** when safe ORM APIs are available. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we capitalize
Potential Query Injection Vulnerabilityin the product?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes - right now all of these detected issues (performance issues for example) are capitalized