0

I have a SqLConnection method that takes a connection string as a parameter. I am using Veracode to check for vulnerabilities in my code, and I got the following CWE 15 error:

This call to system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1() allows external control of system settings. The argument to the function is constructed using untrusted input, which can disrupt service or cause an application to behave in unexpected ways. The first argument to !newinit_0_1() contains tainted data from the variable connectionString. The tainted data originated from an earlier call to saturnrearchdataaccess_dll.SaturnRearchDataAccess.AdoHelper.GetDirectSqlCommand.

I am setting the connectionString in my Web.config file, and to my understanding it is complaining that it could be changed at some point.

Is there a way to check if the connectionString is tainted or not?

Here is my function:

public static SqlConnection GetSqlConnection(string connectionStringName)
 {
   var connectionString = ConfigurationManager.ConnectionStrings[environ + connectionStringName].ConnectionString;

   var conn = new SqlConnection(connectionString);
   
   return conn;
 }
Hussam Ahmed
  • 413
  • 1
  • 5
  • 17
  • 1
    Please see [this answer](https://stackoverflow.com/a/40843179/2791540) – John Wu May 21 '21 at 18:50
  • 1
    Sorry but if someone has already access to the web.config he has access to everything. Or in other words: if i can't trust the config i can't trust anything. So this is a false warning imo. What would be safer, not having configs at all? – Tim Schmelter May 21 '21 at 19:24
  • @TimSchmelter We are deploying our code onto Azure appService, No one outside the company's admins should be able to access it. So, I was curious if there is something I could do to not let Veracode detect this as security risk or since no one other than the admins has access to it then it should be ignored? – Hussam Ahmed May 24 '21 at 15:58
  • @HussamAhmed: i dont lmow Veracocde but it seems you can put this CWE15 to the ignore-finding list: https://help.veracode.com/r/t_ignoreflaws_vs_code You could also use the `SqlConnectionStringBuilder` to avoid that wrong servers or users are injected. – Tim Schmelter May 24 '21 at 17:19

0 Answers0