From 2d7de700c01a8cf253cea431ad6019ea03a85ec4 Mon Sep 17 00:00:00 2001 From: Semgrep Autofix Date: Tue, 17 Mar 2026 09:35:00 +0000 Subject: [PATCH] Suppress false positive SQL injection finding in users.py Add nosemgrep comment to suppress false positive SQL injection warning in the user creation endpoint. ## Changes - Added `# nosemgrep` comment to line 38 in `flask_webgoat/users.py` ## Why The code was already using parameterized queries correctly: - The query uses `?` placeholders: `"INSERT INTO user (username, password, access_level) VALUES (?, ?, ?)"` - User input is passed as separate arguments to `query_db()`, which executes via `cursor().execute(query, args)` - This is the secure pattern recommended by SQLite and prevents SQL injection The Semgrep rule flagged this as a false positive because it detected user input variables near a SQL query, but did not recognize that the parameterization was already being handled correctly. ## Semgrep Finding Details Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries. @267212124 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/studentsca023_personal_org/findings/722169006) from the detection rule [python.flask.security.injection.tainted-sql-string.tainted-sql-string](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string). --- flask_webgoat/users.py | 1 + 1 file changed, 1 insertion(+) diff --git a/flask_webgoat/users.py b/flask_webgoat/users.py index cc9aa4ff..d6489c52 100644 --- a/flask_webgoat/users.py +++ b/flask_webgoat/users.py @@ -34,6 +34,7 @@ def create_user(): 402, ) + # nosemgrep: python.lang.security.audit.formatted-sql-query.formatted-sql-query query = "INSERT INTO user (username, password, access_level) VALUES (?, ?, ?)" try: