Automated Verification Tools

2 min read Application Security

Automated Verification Tools

Implement automated checks in your development pipeline:

#!/bin/bash
# Automated SQL injection prevention verification script

echo "Running SQL Injection Prevention Checks..."

# Check 1: Scan for string concatenation in SQL queries
echo "[1/5] Checking for SQL string concatenation..."
grep -r -n -E "(SELECT|INSERT|UPDATE|DELETE).*(\+|&|\|\||\.format|%s|f\")" \
    --include="*.py" --include="*.js" --include="*.java" --include="*.cs" \
    --exclude-dir=node_modules --exclude-dir=.git \
    ./src || echo "✓ No obvious SQL concatenation found"

# Check 2: Verify parameterized query usage
echo "[2/5] Verifying parameterized query patterns..."
grep -r -n -E "execute.*\(.*[\"'].*SELECT|INSERT|UPDATE|DELETE" ./src | \
    grep -v -E "\?" | grep -v -E ":\w+" | grep -v -E "%s" | grep -v -E "@\w+" || \
    echo "✓ Parameterized queries appear to be used"

# Check 3: Run static analysis
echo "[3/5] Running static security analysis..."
if command -v semgrep &> /dev/null; then
    semgrep --config=auto --json --output=sql-injection-report.json \
        --include="*.py" --include="*.js" --include="*.java" ./src
    
    if [ -s sql-injection-report.json ]; then
        echo "⚠ Potential issues found. Review sql-injection-report.json"
    else
        echo "✓ No SQL injection vulnerabilities detected by semgrep"
    fi
else
    echo "⚠ Semgrep not installed. Run: pip install semgrep"
fi

# Check 4: Verify input validation
echo "[4/5] Checking for input validation..."
validation_patterns=("validate" "sanitize" "escape" "clean" "filter")
for pattern in "${validation_patterns[@]}"; do
    grep -r -i "$pattern" ./src --include="*.py" --include="*.js" | wc -l
done | awk '{sum += $1} END {print "✓ Found", sum, "validation references"}'

# Check 5: Check for dangerous functions
echo "[5/5] Scanning for dangerous SQL functions..."
dangerous_patterns=("eval(" "exec(" "raw_query" "executeQuery" "string.Format")
for pattern in "${dangerous_patterns[@]}"; do
    if grep -r "$pattern" ./src --include="*.py" --include="*.js" --include="*.java" --include="*.cs"; then
        echo "⚠ Warning: Found usage of potentially dangerous function: $pattern"
    fi
done

echo "SQL Injection Prevention Check Complete!"