SQL Injection in Scala
Slick
Vulnerable example
The following snippet performs a SQL query using the facilities provided by Slick:
val db = Database.forURL("...")
db.run(sql"""SELECT * FROM Objects WHERE some_field = '#$some_variable'""").as[SomeObject]
In particular, the above code employs string interpolation to build the executable query, but it uses the #$
notation, which performs literal string interpolation. In fact, notice how single quotes are used here to delimit the value of some_variable
.
The above snippet is vulnerable to SQL Injection. Suppose, for example, that some_variable
is set to ' OR some_field = 'some_other_value
; in this case, the code is equivalent to:
db.run("SELECT * FROM Objects WHERE some_field = '' OR some_field = 'some_other_value'").as[SomeObject]
If some_variable
is controlled by a malicious user, they could then be able to, among other things, alter the semantics of the query and return arbitrary values.
Prevention
Instead of using the #$
notation, the solution is to simply use $
, which inserts the value as a bind variable. This also takes care of quoting; hence, the final query becomes:
db.run(sql"""SELECT * FROM Objects WHERE some_field = $some_variable""").as[SomeObject]
References
CWE - CWE-89: Improper Neutralization of Special Elements used in an SQL Command