0

I'm getting this error from Checkmarx:

The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.

public class CurrClientEntity
    {       
         
        public string C_Code { get; set; }
        
        public string C_Id { get; set; }        
    }


 public CurrClientEntity GetCurrClientId(string c_Code)       
 {           
            var sql = new StringBuilder(@"SELECT C_CODE,C_ID FROM TBL_CLIENT"); 

            sql.Append(" WHERE VALID =:VALID  ");
            sql.Append(" AND C_CODE = :C_CODE  ");
            var dictionary = new Dictionary<string, object>
                        {
                            { "@C_CODE", c_Code },
                            { "@VALID", 'Y' },
                        };
            var parameters = new DynamicParameters(dictionary);
            using (IDbConnection conn = CreateConnection())
            {
                return conn.QueryFirstOrDefault<CurrClientEntity>(sql.ToString(), parameters);
            }
        }
yaloner
  • 715
  • 2
  • 6
  • 19
Gökhan Bozkurt
  • 1
  • 1
  • You're using parameters, so you should be safe. – Dai Jul 19 '22 at 08:24
  • @GökhanBozkurt I don't think Checkmarx recognizes the DynamicParameters as a sanitizer, so you will have to override the Second Order SQL Injection Checkmarx Query to include it, using CxAudit – securecodeninja Jul 19 '22 at 23:07

1 Answers1

1

Having looked into it, Checkmarx SAST does not support Dapper and misses the safe execution of QueryFirstOrDefault().
Your code seems fine, so you can mark this as Not Exploitable and report it as a False Positive result to Checkmarx.

yaloner
  • 715
  • 2
  • 6
  • 19