Insecure SQL connection¶
ID: cs/insecure-sql-connection Kind: path-problem Security severity: 7.5 Severity: error Precision: medium Tags: - security - external/cwe/cwe-327 Query suites: - csharp-security-extended.qls - csharp-security-and-quality.qls Click to see the query in the CodeQL repository
SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.
Recommendation¶
Ensure that the client code enforces the Encrypt option by setting it to true in the connection string.
Example¶
The following example shows a SQL connection string that is not explicitly enabling the Encrypt setting to force encryption.
using System.Data.SqlClient; // BAD, Encrypt not specified string connectString = "Server=1.2.3.4;Database=Anything;Integrated Security=true;"; SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); var conn = new SqlConnection(builder.ConnectionString); The following example shows a SQL connection string that is explicitly enabling the Encrypt setting to force encryption in transit.
using System.Data.SqlClient; string connectString = "Server=1.2.3.4;Database=Anything;Integrated Security=true;;Encrypt=true;"; SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString); var conn = new SqlConnection(builder.ConnectionString); References¶
Microsoft, SQL Protocols blog: Selectively using secure connection to SQL Server.
Microsoft: SqlConnection.ConnectionString Property.
Microsoft: Using Connection String Keywords with SQL Server Native Client.
Microsoft: Setting the connection properties.
Common Weakness Enumeration: CWE-327.