Insecure SQL connection¶
ID: cs/insecure-sql-connectionKind: path-problemSecurity severity: 7.5Severity: errorPrecision: mediumTags: - security - external/cwe/cwe-327Query suites: - csharp-security-extended.qls - csharp-security-and-quality.qls
Click to see the query in the CodeQL repository
SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
Recommendation¶
Ensure that the client code enforces theEncrypt option by setting it totrue in the connection string.
Example¶
The following example shows a SQL connection string that is not explicitly enabling theEncrypt setting to force encryption.
usingSystem.Data.SqlClient;// BAD, Encrypt not specifiedstringconnectString="Server=1.2.3.4;Database=Anything;Integrated Security=true;";SqlConnectionStringBuilderbuilder=newSqlConnectionStringBuilder(connectString);varconn=newSqlConnection(builder.ConnectionString);
The following example shows a SQL connection string that is explicitly enabling theEncrypt setting to force encryption in transit.
usingSystem.Data.SqlClient;stringconnectString="Server=1.2.3.4;Database=Anything;Integrated Security=true;;Encrypt=true;";SqlConnectionStringBuilderbuilder=newSqlConnectionStringBuilder(connectString);varconn=newSqlConnection(builder.ConnectionString);
References¶
Microsoft, SQL Protocols blog:Selectively using secure connection to SQL Server.
Microsoft:SqlConnection.ConnectionString Property.
Microsoft:Using Connection String Keywords with SQL Server Native Client.
Microsoft:Setting the connection properties.
Common Weakness Enumeration:CWE-327.