# SQL Injection (CWE-89) User input is concatenated directly into SQL queries, allowing attackers to modify the query logic and access or manipulate data. This is one of the oldest and most dangerous vulnerability classes, responsible for some of the largest data breaches in history. **Stack:** Python - Prevalence: Very Common OWASP Top 10 since 2010 - Impact: Critical Data breach, auth bypass, RCE - Prevention: Well understood Parameterized queries **OWASP:** Injection (A03:2021-Injection) - #3 ## Description Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database. ## Prevention 2개의 Shoulder 탐지 규칙을 기반으로 한 SQL Injection 예방 전략. ### Python Use parameterized GraphQL queries with variables instead of string formatting Use parameterized queries with placeholder syntax **Vulnerable code:** ``` # VULNERABLE: String formatting query = f"SELECT * FROM users WHERE id = '{user_id}'" cursor.execute(query) ``` **Secure code:** ``` # SAFE: Parameterized query query = "SELECT * FROM users WHERE id = %s" cursor.execute(query, (user_id,)) # Or with SQLAlchemy ORM user = session.query(User).filter(User.id == user_id).first() ``` ## Warning Signs - [HIGH] unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introsp - [CRITICAL] untrusted user input flowing into SQL database queries without proper parameterization ## Audit Steps 1. Search for cursor.execute(), engine.execute() 2. Check for f-strings or .format() in SQL queries 3. Verify SQLAlchemy text() calls use bound parameters 4. Review raw SQL in Django ORM (extra(), raw()) ## Consequences - 애플리케이션 데이터 읽기 - 애플리케이션 데이터 수정 - 보호 메커니즘 우회 - 승인되지 않은 명령 실행 ## Mitigations - 파라미터화된 쿼리 또는 준비된 문(prepared statements)을 사용하세요 - 파라미터화된 쿼리와 함께 저장 프로시저를 사용하세요 - 모든 사용자 입력은 사용 중인 데이터베이스 전용 이스케이프 루틴으로 이스케이프하세요 ## Detection - Total rules: 7 - Critical: 6 - Languages: go, javascript, typescript, python ## Rules by Language ### Python (2 rules) - **GraphQL Injection / Unsafe Query Construction** [HIGH]: Detects unsafe GraphQL query construction with user input, missing query depth limiting, or disabled introspection in production. These can lead to injection attacks, DoS via deeply nested queries, or information disclosure. - Remediation: Use parameterized queries with variables instead of string formatting; disable introspection in production. ```python import graphene class Query(graphene.ObjectType): user = graphene.Field(User, id=graphene.String(required=True)) def resolve_user(self, info, id): return User.objects.get(pk=id) # Use parameter, not f-string # Client sends: query GetUser($id: String!) { user(id: $id) { name } } # With variables: {"id": "123"} ``` Learn more: https://shoulder.dev/learn/python/cwe-89/graphql-injection - **SQL Injection via Database Queries** [CRITICAL]: Detects untrusted user input flowing into SQL database queries without proper parameterization. - Remediation: Use parameterized queries with placeholders. ```python cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,)) ``` Learn more: https://shoulder.dev/learn/python/cwe-89/sql-injection