Veracode SAST scanner is tagging excel file imports with a CWE 89 (Sql Injection):
Attack Vector: system_data_dll.System.Data.Common.DbDataAdapter.Fill
Number of Modules Affected: 1
Description: This database query contains a SQL injection flaw. The call to system_data_dll.System.Data.Common.DbDataAdapter.Fill() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. Fill() was called on the adpt object, which contains tainted data. The tainted data originated from earlier calls to system_data_dll.System.Data.SqlClient.SqlCommand.ExecuteScalar, system_data_dll.System.Data.OleDb.OleDbConnection.GetOleDbSchemaTable, and system_web_dll.System.Web.HttpRequest.get_Files.
Remediation: Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.
I am using the typical method of opening the excel file (uploaded by a user) through an oleDbConnection and loading a datatable with a specific worksheet. It appears that Veracode is upset with the "Select * from [" & worksheetname & "]" - tagging it as SQL injection. There is no way to use a parameter on the table name of an SQL statement. I have attempted to use string substitution string.format("Select * FROM [{0}]", worksheetname). I have also attempted to scrub the worksheet name by removing obvious SQL actions (Select, update, insert, delete, execute). A further constraint is that I do not know the name of the worksheet. In some cases I am looking for partial words to be able to distinguish a particular type of upload - but I do not have a whitelist of all possible worksheetnames, although I have attempted to try a whitelist solution by passing the worksheet name in an sql query against a table (using a parameter) and returning a worksheet name and it triggers the same error (actually part of the error list above).
Public Shared Function ExcelFirstTableName(ByRef ExcelConn As System.Data.OleDb.OleDbConnection) As String
'--http://support.microsoft.com/kb/318373
Dim ExcelSheets As Data.DataTable
Dim dr As Data.DataRow
Dim FirstSheetName As String = Nothing
ExcelSheets = ExcelConn.GetOleDbSchemaTable(System.Data.OleDb.OleDbSchemaGuid.Tables, New Object() {Nothing, Nothing, Nothing, "TABLE"})
For Each dr In ExcelSheets.Rows
If (dr.Item("TABLE_TYPE") = "TABLE") Then
FirstSheetName = dr.Item("TABLE_NAME")
Exit For
End If
Next dr
Return FirstSheetName
End Function
Dim ExcelConn As New System.Data.OleDb.OleDbConnection("provider=Microsoft.ACE.OLEDB.12.0; Data Source=""" & fName & """; Extended Properties=""Excel 12.0;HDR=YES;IMEX=1;ImportMixedTypes = Text;""")
WorksheetName = ExcelFirstTableName(ExcelConn)
Dim adpt As OleDbDataAdapter = New OleDbDataAdapter("select * from [" & WorksheetName & "]", ExcelConn)
adpt.Fill(dt) <-- this is the line tagged.
...
The code functions fine - just trying to pass the Veracode scanner by removing SQL injection.
