Forum Discussion

lhamilton's avatar
lhamilton
Contributor
7 years ago

Coding LiQL API calls so they don't look like SQL injection vulnerabilities

Does anyone have any recommendations on how to handle our LiQL calls so they don't look like SQL injection vulnerabilities to our automated security scan tools?

 

We are concerned that we develop code to make LiQL calls, it might trigger alerts on security scans because the API calls will look like potential SQL injection vulnerabilities. 

 

Thanks!

3 Replies

  • lhamilton's avatar
    lhamilton
    Contributor
    7 years ago

    TariqHussain Thx for replying! I started this thread for one of our dev's as he's under a tight deadline and Lithium Support said they didn't have answer for us. We don't have anything specific regarding call anatomy - this is more of us making sure we cover all of our bases with any concerns that we may have with LiQL.

     

    With that being said, here's our dev's reply:

     

    The LiQL calls are SQL-like so the concern is that anything with code that has verbiage like “SELECT x FROM y WHERE z” is going to trigger an alert during a security scan.  IMHO, it is what it is.  We can try to obfuscate the call logic in the code in an attempt to “trick” the security scan, but that is going to make the code less readable/understandable in the future for other developers. The reality is that if it is picked up by a security scan, it is a false-positive since it is not a call into a db.