Error in passing parameters to sql query in Ballerina

Question

I'm developing a simple ballerina application which retrives the email of a given name(cntname).

string sqlString = "SELECT email FROM CONTACTS WHERE Name=?";
// Retrieve employee data by invoking select action defined in ballerina sql client
var ret = contactDB->select(sqlString, (),cntname);

This error appears when running the program.

error: contacts_db_service:0.0.0/hello_service.bal:56:86: tainted value passed to sensitive parameter 'message'

The value returned from extractName(), shown below, is passed to cntname.

*Note: split() was applied to the string value passed to cntname. *

Answer 1

Ballerina compiler has a "Taint Analyzer" built-in, which supports Ballerina to become a security-aware programming language. The taint analyzer will help in preventing numerous security vulnerabilities including SQLi, path manipulations and XXS. You can go through the "How to Write Secure Ballerina Programs" page to read more about this.

However, the way you are performing the SQL query is absolutely correct and there is no security problem with that. Looking at the error message, it seems line 56 should be a location where you call caller->respond( resp ) action to return a HTTP response.

Why I am suggesting this is because caller->respond( resp ) is the location where we set some value to message parameter of the respond action.

If this is the case, please check if the response content you are trying to send is a fully validated value. Taint analyzer has detected that the response you are about to send contains untrusted (tainted) data, leading to XSS or other security vulnerabilities. You can check the "Taint Analysis — Examples" section of this blog post to understand how this error could occur and how to properly validate data and mitigate from this error.

Furthermore, if you can share the full Ballerina code, I can update the answer with further details on how to address the exact issue.

Answer 2

Ballerina has a built in "Taint Analyzer" to prevent security vulnerabilities. Therefore you can perform a validation like this before passing a value to the sensitive parameter field of the function.

function sanitizeAndReturnUntainted(string input) returns @untainted string {
    string regEx = "[^a-zA-Z]";
    return input.replace(regEx, "");
}

Note: this is only a sample validation. You can validate whether if the input is numeric, float etc.