Skip to content

fix(detectors): Add comment filtering to SQL Injection detector #95006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
roggenkemper merged 6 commits into from
Jul 11, 2025
Merged

fix(detectors): Add comment filtering to SQL Injection detector #95006

roggenkemper merged 6 commits into from
Jul 11, 2025
+177 −4

Conversation

@roggenkemper
Copy link
Member

@roggenkemper roggenkemper commented Jul 7, 2025

sometimes there's a comment at the end of the SQL statement. if an org puts the url with the query parameters for example in the comment, then that would show up as a false positive because right now it only looks after WHERE. Now, if a comment exists, we ignore that during detection.

@github-actions github-actions bot added the Scope: Backend Automatically applied to PRs that change backend components label Jul 7, 2025
@codecov
Copy link

codecov bot commented Jul 7, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #95006      +/-   ##
==========================================
+ Coverage   77.03%   84.27%   +7.23%     
==========================================
  Files       10478    10462      -16     
  Lines      605927   605273     -654     
  Branches    23671    23569     -102     
==========================================
+ Hits       466759   510067   +43308     
+ Misses     136783    94682   -42101     
+ Partials     2385      524    -1861

@roggenkemper roggenkemper marked this pull request as ready for review July 7, 2025 21:58
@roggenkemper roggenkemper requested a review from a team July 7, 2025 21:58
@roggenkemper roggenkemper requested a review from a team as a code owner July 7, 2025 21:58
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@roggenkemper roggenkemper requested review from a team and cvxluo July 10, 2025 21:39
cursor[bot]
cursor bot reviewed Jul 11, 2025
View reviewed changes
Copy link
Contributor

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: SQL Injection Detector Fails String Literal Handling

The SQL injection detector incorrectly identifies SQL comments due to its simple find("--") method. This fails to account for -- appearing within SQL string literals (e.g., 'value--text'), where it is part of the string, not a comment. Consequently, the detector treats the string literal as a comment boundary, excluding the subsequent query portion from analysis. This leads to false negatives, missing actual SQL injection vulnerabilities.

src/sentry/performance_issues/detectors/sql_injection_detector.py#L130-L131

sentry/src/sentry/performance_issues/detectors/sql_injection_detector.py

Lines 130 to 131 in 052a444

description_after_where = description[where_index:]
comment_index = description_after_where.find("--")

Fix in CursorFix in Web

Was this report helpful? Give feedback by reacting with 👍 or 👎

@roggenkemper roggenkemper merged commit c68c43f into master Jul 11, 2025
65 checks passed
@roggenkemper roggenkemper deleted the roggenkemper/ignorecomment branch July 11, 2025 17:02
andrewshie-sentry pushed a commit that referenced this pull request Jul 14, 2025
@roggenkemper @andrewshie-sentry
fix(detectors): Add comment filtering to SQL Injection detector (#95006)
7a95086 
sometimes there's a comment at the end of the SQL statement. if an org
puts the url with the query parameters for example in the comment, then
that would show up as a false positive because right now it only looks
after `WHERE`. Now, if a comment exists, we ignore that during
detection.
@github-actions github-actions bot locked and limited conversation to collaborators Jul 27, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@cvxluo cvxluo cvxluo approved these changes

Assignees

No one assigned

Labels

Scope: Backend Automatically applied to PRs that change backend components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roggenkemper @cvxluo