rastray 0.15.0

Blazing-fast static analysis CLI for security, dependency, and performance audits.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

# RSTR-INJ-001 — SQL injection via f-string / template literal

## Summary

SQL is built by interpolating user-controlled values into
a string with Python f-string or JS template-literal
syntax, then passed to a `.execute(...)` / `.query(...)` /
`.executemany(...)` call. This is **SQL injection** — one
of the oldest and still most common high-impact web bugs.

## Severity

`High`.

## Languages

Python, JavaScript / TypeScript.

## What rastray flags

A call to `cursor.execute(...)` / `cursor.executemany(...)`
(Python) or `db.query(...)` / `db.execute(...)` (Node)
whose argument is an f-string or template literal
containing a `{...}` / `${...}` interpolation.

```python
cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")   # ← flagged
```

```js
db.query(`SELECT * FROM users WHERE id = ${userId}`);          // ← flagged
```

## How to fix it

Use parameterised queries:

```python
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
```

```js
db.query('SELECT * FROM users WHERE id = ?', [userId]);
```

Or use an ORM that builds parameterised queries for you
(SQLAlchemy, Django ORM, Prisma, Sequelize).

## References

- [OWASP SQL Injection Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)
- [CWE-89: SQL Injection](https://cwe.mitre.org/data/definitions/89.html)
- [Bobby Tables](https://bobby-tables.com/)