SQL injection warning can be bypassed
Question

Just wanted to share a weird behavior involving the BuildSafe_InClauseIntegerList action. 

When I was playing around with the BuildSafe_InClauseIntegerList action, I was able to bypass the "SQL injection vulnerability warning". I did this by naming a variable as "BuildSafe_InClauseIntegerList" and used that as an "expand inline" Advanced SQL input parameter. By doing so, the SQL injection warning disappeared even though the variable I passed was not sanitized at all. As per my testing, this is also happening if the variable is named as "BuildSafe_InClauseTextList". 

Honestly, I don't think someone will explicitly name their variables this way just to bypass a warning that is actually there for their app's benefit. I just want to raise this for awareness.

Screenshots for reference:

Smart people dumb software. Good if it's taken care of . Somehow it's just taking your variables as an output from the sanitization APIs functions. https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/Sanitization_API#BuildSafe_InClauseIntegerList 


Cheers

Would encourage you to register an Idea to fix this. Should be taken up by OS soon . 



mvp_badge
MVP

No I don't think this should not be reported as idea. Instead the feedback button in service Studio should be used.

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.