Why sonar cloud does not tag as "Injection"?

Question

Take a look at this code:

var url = "https://mydatabase.documents.azure.com:443/";
var db = "my-db";
var key = "mykey";

var sqlQueryText = $"SELECT * FROM CelCoinData f WHERE f.id = '{data.UniversalId}' and f.uri = '{data.Uri}'";

var cliente = new CosmosClient(url, key);
var database = cliente.GetDatabase(db);
var containers = database.GetContainer("MyContainer");
var dados = new DataCosmosDB();

var iterator = containers.GetItemQueryIterator<DataCosmosDB>(sqlQueryText);

in my opinion, this is text book SQL Injection, but SonarCloud does not flag it so. WHY?

Is Cosmos invulnerable to it? Does the cosmos client somehow figures this and adjust accordantly and sonar is aware of this?

I'm curious what your concern is, around SQL injection with Cosmos DB, as the SQL API's language is limited to `SELECT` only: no inserts, no updates, no table creation/drops (well, collections in this case). — David Makogon, Apr 16 '21 at 12:14

score 0 · Answer 1 · answered Apr 15 '21 at 17:37

0

According to SonarCloud support, Cosmos is not detected as a SINK yet. they will make the appropriate changes

answered Apr 15 '21 at 17:37

Leonardo

10,737
10
62
155

Why sonar cloud does not tag as "Injection"?

1 Answers1