CodeQL documentation

Insecure SQL connection

ID: cs/insecure-sql-connection
Kind: path-problem
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-327
Query suites:
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

SQL Server connections where the client is not enforcing the encryption in transit are susceptible to multiple attacks, including a man-in-the-middle, that would potentially compromise the user credentials and/or the TDS session.

Recommendation

Ensure that the client code enforces the Encrypt option by setting it to true in the connection string.

Example

The following example shows a SQL connection string that is not explicitly enabling the Encrypt setting to force encryption.

using System.Data.SqlClient;

// BAD, Encrypt not specified
string connectString =
    "Server=1.2.3.4;Database=Anything;Integrated Security=true;";
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
var conn = new SqlConnection(builder.ConnectionString);

The following example shows a SQL connection string that is explicitly enabling the Encrypt setting to force encryption in transit.

using System.Data.SqlClient;

string connectString =
    "Server=1.2.3.4;Database=Anything;Integrated Security=true;;Encrypt=true;";
SqlConnectionStringBuilder builder = new SqlConnectionStringBuilder(connectString);
var conn = new SqlConnection(builder.ConnectionString);

References