Skip to content

Analyzer for string concatenation in raw SQL methods. #36698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 10, 2025
Merged

Analyzer for string concatenation in raw SQL methods. #36698

merged 1 commit into from
Sep 10, 2025
+706 −913

Conversation

cincuranet
Copy link
Contributor

@cincuranet cincuranet commented Sep 2, 2025
edited
Loading

Fixes #35735.

Description

Doing string concatenation in raw SQL methods is dangerous, because it open possibility of SQL injection. We had analyzer for string interpolation, but not pure string concatenation. This fixed it.

Customer impact

Customers might be unknowingly open to SQL injection attacks.

How found

Customer reported.

Regression

No.

Testing

Tests added.

Risk

Low. This is only analyzers package.

@cincuranet cincuranet changed the title Concat analyzer Analyzer for string concatenation in raw SQL methods. Sep 2, 2025
roji
roji reviewed Sep 2, 2025
View reviewed changes
Copy link
Member

@roji roji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few quick comments

@cincuranet cincuranet force-pushed the concat-analyzer branch 5 times, most recently from ef8427d to a897c98 Compare September 9, 2025 09:56
@cincuranet cincuranet marked this pull request as ready for review September 9, 2025 09:56
@cincuranet cincuranet requested a review from a team as a code owner September 9, 2025 09:56
roji
roji approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@roji roji left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after comments addressed, thanks!

artl93
artl93 approved these changes Sep 9, 2025
View reviewed changes
Copy link
Member

@artl93 artl93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved. RC2. Breaking change?

@cincuranet
Copy link
Contributor Author

@artl93 Not a breaking change.

@cincuranet cincuranet merged commit 9a44870 into dotnet:release/10.0 Sep 10, 2025
7 checks passed
@cincuranet cincuranet deleted the concat-analyzer branch September 10, 2025 06:37
@cincuranet cincuranet mentioned this pull request Sep 10, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@roji roji roji approved these changes

@artl93 artl93 artl93 approved these changes

@AndriySvyryd AndriySvyryd Awaiting requested review from AndriySvyryd

Assignees
No one assigned
Labels
ask-mode Servicing-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Analyzer warnings for string concatenation in raw SQL APIs
4 participants
@cincuranet @roji @AndriySvyryd @artl93