Does anyone have any recommendations on how to handle our LiQL calls so they don't look like SQL injection vulnerabilities to our automated security scan tools?
We are concerned that we develop code to make LiQL calls, it might trigger alerts on security scans because the API calls will look like potential SQL injection vulnerabilities.
Thanks!
lhamilton - Could you please share which part of API call creating issue at automated security scan?
TariqHussain Thx for replying! I started this thread for one of our dev's as he's under a tight deadline and Lithium Support said they didn't have answer for us. We don't have anything specific regarding call anatomy - this is more of us making sure we cover all of our bases with any concerns that we may have with LiQL.
With that being said, here's our dev's reply:
The LiQL calls are SQL-like so the concern is that anything with code that has verbiage like “SELECT x FROM y WHERE z” is going to trigger an alert during a security scan. IMHO, it is what it is. We can try to obfuscate the call logic in the code in an attempt to “trick” the security scan, but that is going to make the code less readable/understandable in the future for other developers. The reality is that if it is picked up by a security scan, it is a false-positive since it is not a call into a db.
lhamilton- Is it possible to skip a single file in the security scan? if yes, you can move all the LIQL queries to single macro and include that macro in the code.
Also, please go through this document, it might be useful https://community.lithium.com/t5/Community-Solutions/LiQL-and-SQL-injection-vulnerability/ta-p/281334
