Skip to content

Checkmarx AI Remediation - Second_Order_SQL_Injection#4

Open
cx-lucas-ferreira wants to merge 6 commits into
mainfrom
cx-ai-agent-main-P0JQD3psZ4Ay9Eai
Open

Checkmarx AI Remediation - Second_Order_SQL_Injection#4
cx-lucas-ferreira wants to merge 6 commits into
mainfrom
cx-ai-agent-main-P0JQD3psZ4Ay9Eai

Conversation

@cx-lucas-ferreira

Copy link
Copy Markdown

Logo
Checkmarx One – Remediation


Second_Order_SQL_Injection · Critical

Triage context: Reachable · Exploitable

Fix second-order SQL injection vulnerabilities in Django application

What is the issue?
The application contains second-order SQL injection vulnerabilities (CWE-89) across multiple files. User-supplied data such as usernames and blab names is stored in the database during registration, then later retrieved and embedded directly into new SQL queries via string concatenation or Python %-formatting without sanitization. This two-stage attack vector makes the vulnerabilities harder to detect than classic first-order SQL injection, as the malicious payload is injected at one point in time and executed at another.

Why should it be fixed?
An attacker can register a malicious username containing SQL metacharacters, which later executes arbitrary SQL when the stored value is reused in queries. This can result in full credential exfiltration, privilege escalation, account takeover, or database destruction. The vulnerability violates OWASP Top 10 (A03:2021), PCI DSS, and NIST SP 800-53 requirements.

How should it be fixed?
Convert all unsafe cursor.execute() calls to Django's parameterized query API across five files. In app/commands/ListenCommand.py and app/commands/IgnoreCommand.py, parameterize the INSERT and SELECT queries that use DB-sourced values. In app/views/userController.py, fix 12 queries (login, showPasswordHint, showTotp, processTotp, processRegister, processRegisterFinish, showProfile, processProfile, usernameExists, updateUsername) and remove the unused sqlparse import. In app/views/blabController.py, fix all 7 queries and add an allowlist for the non-parameterizable ORDER BY clause. In app/views/resetController.py, parameterize the INSERT users and INSERT listeners queries. Add regression tests in app/tests/test_sql_injection.py and app/tests/__init__.py.


Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@cx-lucas-ferreira

cx-lucas-ferreira commented Jul 17, 2026

Copy link
Copy Markdown
Author

Logo
Checkmarx One – Scan Summary & Details233070eb-1c4a-4773-9baf-c0724a18ab63


New Issues (48)

Critical: 2 · High: 2 · Medium: 21 · Low: 23

Checkmarx found the following issues in this Pull Request

# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL Code_Injection app/views/blabController.py: 274
detailsThe application's blabbers method receives and dynamically executes user-controlled code using eval, at line 357 of /app/views/blabController.py...
Attack Vector
2 CRITICAL SQL_Injection app/views/blabController.py: 274
detailsThe application's blabbers method executes an SQL query with execute, at line 309 of /app/views/blabController.py. The application constructs thi...
Attack Vector
3 HIGH Missing User Instruction Dockerfile: 1
detailsAlways set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
4 HIGH Path_Traversal app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets dynamic data from the request element. This element’s value then flows through th...
Attack Vector
5 MEDIUM Apt Get Install Pin Version Not Defined Dockerfile: 7
detailsWhen installing a package, its pin version should be defined
6 MEDIUM CSRF app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets a parameter from a user request from request. This parameter value flows through ...
Attack Vector
7 MEDIUM CSRF app/views/userController.py: 376
detailsMethod processRegisterFinish at line 376 of /app/views/userController.py gets a parameter from a user request from cleaned_data. This parameter ...
Attack Vector
8 MEDIUM CSRF app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets a parameter from a user request from request. This parameter value flows through ...
Attack Vector
9 MEDIUM CSRF app/views/blabController.py: 37
detailsMethod feed at line 37 of /app/views/blabController.py gets a parameter from a user request from request. This parameter value flows through the ...
Attack Vector
10 MEDIUM CSRF app/views/userController.py: 390
detailsMethod processRegisterFinish at line 390 of /app/views/userController.py gets a parameter from a user request from cleaned_data. This parameter ...
Attack Vector
11 MEDIUM CSRF app/views/blabController.py: 176
detailsMethod blab at line 176 of /app/views/blabController.py gets a parameter from a user request from request. This parameter value flows through the...
Attack Vector
12 MEDIUM CSRF app/views/userController.py: 391
detailsMethod processRegisterFinish at line 391 of /app/views/userController.py gets a parameter from a user request from cleaned_data. This parameter ...
Attack Vector
13 MEDIUM OS_Access_Violation app/views/userController.py: 450
detailsThe user-provided input from request in /app/views/userController.py in line 450 is used by the file operation newPath in /app/views/userControll...
Attack Vector
14 MEDIUM Parameter_Tampering app/views/userController.py: 194
detailsMethod totp at line 194 of /app/views/userController.py gets user input from element request. This input is later concatenated by the application...
Attack Vector
15 MEDIUM Parameter_Tampering app/views/blabController.py: 274
detailsMethod blabbers at line 274 of /app/views/blabController.py gets user input from element request. This input is later concatenated by the applica...
Attack Vector
16 MEDIUM Parameter_Tampering app/views/blabController.py: 176
detailsMethod blab at line 176 of /app/views/blabController.py gets user input from element request. This input is later concatenated by the application...
Attack Vector
17 MEDIUM Parameter_Tampering app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This input is later concatenated by the applicat...
Attack Vector
18 MEDIUM Parameter_Tampering app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This input is later concatenated by the applicat...
Attack Vector
19 MEDIUM Parameter_Tampering app/views/userController.py: 194
detailsMethod totp at line 194 of /app/views/userController.py gets user input from element request. This input is later concatenated by the application...
Attack Vector
20 MEDIUM Parameter_Tampering app/views/blabController.py: 176
detailsMethod blab at line 176 of /app/views/blabController.py gets user input from element request. This input is later concatenated by the application...
Attack Vector
21 MEDIUM Parameter_Tampering app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This input is later concatenated by the applicat...
Attack Vector
22 MEDIUM Parameter_Tampering app/views/userController.py: 301
detailsMethod register at line 301 of /app/views/userController.py gets user input from element request. This input is later concatenated by the applica...
Attack Vector
23 MEDIUM Parameter_Tampering app/views/userController.py: 158
detailsMethod showPasswordHint at line 158 of /app/views/userController.py gets user input from element request. This input is later concatenated by the...
Attack Vector
24 MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm app/views/userController.py: 398
detailsIn processRegisterFinish, the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivi...
Attack Vector
25 MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm app/views/userController.py: 104
detailsIn login, the application protects sensitive data using a cryptographic algorithm, hexdigest, that is considered weak or even trivially broken, in ...
Attack Vector
26 LOW Cookie_Poisoning app/views/userController.py: 450
detailsThe application sets a cookie, set_cookie, in the processProfile method of file /app/views/userController.py at line 607. The value set to this ...
Attack Vector
27 LOW Healthcheck Instruction Missing Dockerfile: 1
detailsEnsure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
28 LOW Log_Forging app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This element’s value flows through the code with...
Attack Vector
29 LOW Log_Forging app/views/userController.py: 158
detailsMethod showPasswordHint at line 158 of /app/views/userController.py gets user input from element request. This element’s value flows through the ...
Attack Vector
30 LOW Log_Forging app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This element’s value flows through the code with...
Attack Vector
31 LOW Log_Forging app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This element’s value flows through the code with...
Attack Vector
32 LOW Log_Forging app/views/blabController.py: 274
detailsMethod blabbers at line 274 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code wit...
Attack Vector
33 LOW Log_Forging app/views/blabController.py: 274
detailsMethod blabbers at line 274 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code wit...
Attack Vector
34 LOW Log_Forging app/views/userController.py: 450
detailsMethod profile at line 450 of /app/views/userController.py gets user input from element request. This element’s value flows through the code with...
Attack Vector
35 LOW Log_Forging app/views/userController.py: 158
detailsMethod showPasswordHint at line 158 of /app/views/userController.py gets user input from element request. This element’s value flows through the ...
Attack Vector
36 LOW Log_Forging app/views/blabController.py: 274
detailsMethod blabbers at line 274 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code wit...
Attack Vector
37 LOW Log_Forging app/views/blabController.py: 176
detailsMethod blab at line 176 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code without...
Attack Vector
38 LOW Log_Forging app/views/blabController.py: 274
detailsMethod blabbers at line 274 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code wit...
Attack Vector
39 LOW Log_Forging app/views/blabController.py: 176
detailsMethod blab at line 176 of /app/views/blabController.py gets user input from element request. This element’s value flows through the code without...
Attack Vector

More results are available on the CxOne platform


Fixed Issues (101)

Critical: 30 · High: 1 · Medium: 31 · Low: 39

Great job! The following issues were fixed in this Pull Request

Severity Issue Source File / Package
CRITICAL Code_Injection app/views/blabController.py: 326
CRITICAL SQL_Injection app/views/userController.py: 391
CRITICAL SQL_Injection app/views/userController.py: 209
CRITICAL SQL_Injection app/views/userController.py: 406
CRITICAL SQL_Injection app/views/blabController.py: 281
CRITICAL SQL_Injection app/views/userController.py: 209
CRITICAL SQL_Injection app/views/userController.py: 330
CRITICAL SQL_Injection app/views/userController.py: 467
CRITICAL SQL_Injection app/views/userController.py: 554
CRITICAL SQL_Injection app/views/userController.py: 405
CRITICAL SQL_Injection app/views/userController.py: 467
CRITICAL SQL_Injection app/views/userController.py: 554
CRITICAL SQL_Injection app/views/userController.py: 467
CRITICAL SQL_Injection app/views/userController.py: 384
CRITICAL SQL_Injection app/views/blabController.py: 39
CRITICAL SQL_Injection app/views/blabController.py: 39
CRITICAL SQL_Injection app/views/blabController.py: 154
CRITICAL SQL_Injection app/views/blabController.py: 105
CRITICAL SQL_Injection app/views/userController.py: 84
CRITICAL SQL_Injection app/views/blabController.py: 275
CRITICAL SQL_Injection app/views/userController.py: 174
CRITICAL SQL_Injection app/views/blabController.py: 238
CRITICAL SQL_Injection app/views/blabController.py: 101
CRITICAL SQL_Injection app/views/blabController.py: 178
CRITICAL SQL_Injection app/views/blabController.py: 243
CRITICAL SQL_Injection app/views/blabController.py: 178
CRITICAL SQL_Injection app/views/blabController.py: 237
CRITICAL SQL_Injection app/views/userController.py: 553
CRITICAL SQL_Injection app/views/userController.py: 552
CRITICAL Second_Order_SQL_Injection app/views/userController.py: 120
HIGH Path_Traversal app/views/userController.py: 554
MEDIUM CSRF app/views/userController.py: 467
MEDIUM CSRF app/views/blabController.py: 176
MEDIUM CSRF app/views/blabController.py: 37
MEDIUM CSRF app/views/userController.py: 406
MEDIUM CSRF app/views/userController.py: 467
MEDIUM CSRF app/views/userController.py: 391
MEDIUM CSRF app/views/userController.py: 405
MEDIUM Django_Missing_Function_Level_Authorization app/views/userController.py: 551
MEDIUM Django_Missing_Object_Level_Authorization app/views/userController.py: 551
MEDIUM Django_Missing_Object_Level_Authorization app/views/userController.py: 328
MEDIUM OS_Access_Violation app/views/userController.py: 554
MEDIUM Parameter_Tampering app/views/userController.py: 467
MEDIUM Parameter_Tampering app/views/userController.py: 330
MEDIUM Parameter_Tampering app/views/blabController.py: 273
MEDIUM Parameter_Tampering app/views/blabController.py: 281
MEDIUM Parameter_Tampering app/views/userController.py: 173
MEDIUM Parameter_Tampering app/views/blabController.py: 178
MEDIUM Parameter_Tampering app/views/userController.py: 554
MEDIUM Parameter_Tampering app/views/userController.py: 467
MEDIUM Parameter_Tampering app/views/blabController.py: 176
MEDIUM Parameter_Tampering app/views/userController.py: 316
MEDIUM Parameter_Tampering app/views/blabController.py: 176
MEDIUM Parameter_Tampering app/views/userController.py: 209
MEDIUM Parameter_Tampering app/views/userController.py: 174
MEDIUM Parameter_Tampering app/views/blabController.py: 275
MEDIUM Parameter_Tampering app/views/blabController.py: 178
MEDIUM Parameter_Tampering app/views/userController.py: 467
MEDIUM Parameter_Tampering app/views/userController.py: 209
MEDIUM Privacy_Violation app/views/userController.py: 391
MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm app/views/userController.py: 105
MEDIUM Use_of_Broken_or_Risky_Cryptographic_Algorithm app/views/userController.py: 412
LOW Cookie_Poisoning app/views/userController.py: 554
LOW Filtering_Sensitive_Logs app/views/userController.py: 105
LOW Filtering_Sensitive_Logs app/views/userController.py: 105
LOW Filtering_Sensitive_Logs app/views/userController.py: 413
LOW Log_Forging app/views/userController.py: 174
LOW Log_Forging app/views/userController.py: 554
LOW Log_Forging app/views/userController.py: 391
LOW Log_Forging app/views/blabController.py: 275
LOW Log_Forging app/views/blabController.py: 325
LOW Log_Forging app/views/userController.py: 467
LOW Log_Forging app/views/userController.py: 85
LOW Log_Forging app/views/userController.py: 467
LOW Log_Forging app/views/userController.py: 573
LOW Log_Forging app/views/blabController.py: 326
LOW Log_Forging app/views/blabController.py: 187

More results are available on the CxOne platform


Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant