# SQL Injection (CWE-89) User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history. **Stack:** Python - Prevalence: Very Common OWASP Top 10 since 2010 - Impact: Critical Data breach, auth bypass, RCE - Prevention: Well understood Parameterized queries **OWASP:** Injection (A03:2021-Injection) - #3 ## Description Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database. ## Prevention 2 件の Shoulder 検出ルールに基づく SQL Injection の予防策。 ### Python Use parameterized GraphQL queries with variables instead of string formatting Use parameterized queries with placeholder syntax **Vulnerable code:** ``` # VULNERABLE: String formatting query = f"SELECT * FROM users WHERE id = '{user_id}'" cursor.execute(query) ``` **Secure code:** ``` # SAFE: Parameterized query query = "SELECT * FROM users WHERE id = %s" cursor.execute(query, (user_id,)) # Or with SQLAlchemy ORM user = session.query(User).filter(User.id == user_id).first() ``` ## Warning Signs - [HIGH] unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp - [CRITICAL] untrusted user input flowing into SQL database queries without proper parameterization ## Audit Steps 1. Search for cursor.execute(), engine.execute() 2. Check for f-strings or .format() in SQL queries 3. Verify SQLAlchemy text() calls use bound parameters 4. Review raw SQL in Django ORM (extra(), raw()) ## Consequences - アプリケーションデータの読み取り - アプリケーションデータの変更 - 保護メカニズムの回避 - 未承認コマンドの実行 ## Mitigations - パラメータ化クエリまたはプリペアドステートメントを使用する - パラメータ化クエリでストアドプロシージャを使用する - ユーザー入力はすべて、データベース固有のエスケープルーチンでエスケープする ## Detection - Total rules: 7 - Critical: 6 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **GraphQL Injection / Unsafe Query Construction** [HIGH]: Detects unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introspection in production. These can lead to injection attacks, DoS via deeply nested queries, or information disclosure. - Remediation: Use parameterized queries with variables instead of string formatting; disable introspection in production. ```python import graphene class Query(graphene.ObjectType): user = graphene.Field(User, id=graphene.String(required=True)) def resolve_user(self, info, id): return User.objects.get(pk=id) # Use parameter, not f-string # Client sends: query GetUser($id: String!) { user(id: $id) { name } } # With variables: {"id": "123"} ``` Learn more: https://shoulder.dev/learn/python/cwe-89/graphql-injection - **SQL Injection via Database Queries** [CRITICAL]: Detects untrusted user input flowing into SQL database queries without proper parameterization. - Remediation: Use parameterized queries with placeholders. ```python cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) ``` Learn more: https://shoulder.dev/learn/python/cwe-89/sql-injection