问题
Ok, so I am using ServiceStack OrmLite for my data needs in my Web API. When I submitted my code to VeraCode for code security scanning and verification the result report showed that OrmLite shows potential SQL Injection attack vectors.
ServiceStack.OrmLite.dll GridReader DapperMultiple(System.Data.IDbConnection, string, object, System.Data.IDbTransaction,System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll int ExecuteCommand(System.Data.IDbConnection, System.Data.IDbTransaction, string, System.Action<System.Data.IDbCommand,object>, object, System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll int ExecuteDapper(System.Data.IDbConnection, string, object, System.Data.IDbTransaction, System.Nullable<int>, System.Nullable<System.Data.CommandType>)
ServiceStack.OrmLite.dll object Scalar(System.Data.IDbCommand, string)
ServiceStack.OrmLite.dll System.Data.IDataReader ExecReader(System.Data.IDbCommand, string)
ServiceStack.OrmLite.dll System.Data.IDataReader ExecReader(System.Data.IDbCommand, string, System.Collections.Generic.IEnumerable<System.Data.IDataParameter>)
I'm not sure how to triage this. Should I replace OrmLite with EntityFramework?
回答1:
Eh? All this shows are OrmLite API's that let you execute a raw SQL String? In the end every ORM is going to use ADO.NET's underlying API's in order to execute Raw SQL.
Most of OrmLite API's are typed where its values are escaped and protected from SQL Injection attacks. But as OrmLite is a versatile ORM it also offers custom API's that let you execute Raw SQL, but even in this case you can protect yourself from SQL Injection by using parameterized queries:
Custom SQL APIs
List<Person> results = db.SqlList<Person>(
"SELECT * FROM Person WHERE Age < @age", new { age=50});
List<Poco> results = db.SqlList<Poco>(
"EXEC GetAnalyticsForWeek @weekNo", new { weekNo = 1 });
Also the first few lines looks like they're from the interned version of Dapper, which is another Micro ORM that's embedded in OrmLite for convenience, but not used by OrmLite itself. Like OrmLite it offers Custom SQL API's, that also lets you use parameterized arguments and invulnerable from SQL Injection attacks.
回答2:
During a code-readout with VeraCode the suggested proper remediation was to replace ServiceStack ORM with EntityFramework 6.1.
This was only a minor update to the repositories pattern currently in place.
来源:https://stackoverflow.com/questions/26636135/veracode-reports-servicestack-ormlite-with-improper-neutralization-of-special-el