InstallHub
SQL Injection Detection
Certain workflow node types accept SQL-like query strings to interact with data sources. The SQL injection detector scans these fields for patterns that could manipulate the underlying database when the workflow executes.
Fields Scanned
SQL injection scanning targets configuration fields that are executed against data sources at runtime:
| Artifact Type | Field | Usage |
|---|---|---|
| ProcessDefinition (DataFetch node) | nodes[*].config.query | Parameterized query sent to tenant data source |
| ProcessDefinition (DataWrite node) | nodes[*].config.writeQuery | INSERT/UPDATE statement for tenant records |
| EntitySchema | indexes[*].filterExpression | Index filter applied at query time |
| RuleSet | rules[*].datasourceQuery | Query used to fetch data for rule evaluation |
Detection Rules
| Rule | Pattern | Severity |
|---|---|---|
UnionAttack | UNION\s+SELECT (case-insensitive) | Critical |
DropStatement | DROP\s+(TABLE|DATABASE|SCHEMA|INDEX) | Critical |
TruncateStatement | TRUNCATE\s+TABLE | Critical |
RawStringConcatenation | String concatenation with user variable in query: query + variable | High |
AlterStatement | ALTER\s+(TABLE|COLUMN|DATABASE) | High |
CommentTermination | --\s*$ or /\*.*\*/ inline in query value | High |
StoredsProc | EXEC\s+\w+, EXECUTE\s+\w+ | Medium |
WildcardSelect | SELECT\s+\*\s+FROM without parameterized WHERE | Low |
What Is Allowed
Safe SQL patterns that will not trigger findings:
// ALLOWED — Parameterized query with named parameters:
SELECT id, name, department FROM employees WHERE tenantId = @tenantId AND status = @status
// ALLOWED — Parameterized INSERT:
INSERT INTO audit_log (tenantId, action, actorId, timestamp)
VALUES (@tenantId, @action, @actorId, GETUTCDATE())
// ALLOWED — Filtered SELECT with explicit columns:
SELECT e.id, e.name, d.name AS department
FROM employees e
INNER JOIN departments d ON e.departmentId = d.id
WHERE e.tenantId = @tenantId AND e.isActive = 1What Triggers Failure
// FAIL — UNION attack:
SELECT id FROM employees WHERE name = 'x' UNION SELECT password FROM admin_users--
// FAIL — DROP TABLE:
SELECT 1; DROP TABLE employees;--
// FAIL — Dynamic string concatenation (not parameterized):
"SELECT * FROM " + userInput + " WHERE id = " + userId
// FAIL — TRUNCATE:
TRUNCATE TABLE process_executions; SELECT 1Scan Finding Example
{
"check": "SqlInjection",
"result": "FAIL",
"severity": "Critical",
"findings": [
{
"artifactType": "ProcessDefinition",
"artifactName": "DataExtractionFlow",
"field": "nodes[4].config.query",
"value": "SELECT * FROM employees WHERE name = '' UNION SELECT password, salt, '' FROM admin_credentials--",
"rule": "UnionAttack",
"message": "SQL query contains a UNION SELECT pattern. This is a critical SQL injection indicator — the query has been flagged for review."
}
]
}Legitimate Use of SQL Nodes
SQL-capable workflow nodes are designed for parameterized queries only. The workflow runtime enforces parameterization — direct string interpolation in queries is not supported by the execution engine. If a package contains raw string concatenation in a query field, it indicates either a poorly designed package or a deliberate injection attempt. Both are blocked.
Reporting a False Positive
If the scanner flags a legitimate query (e.g., a UNION-style view name or a comment in a multi-line query for documentation purposes), request a false positive review. See the Handling False Positives page for the process.