Skip to content

Lab 3.4 ‐ Fix Code Scanning Bug

Jump to bottom
Rene van Osnabrugge edited this page Feb 26, 2024 · 1 revision

Objective

😱 Oops! Code scanning identified a severe SQL injection bug in the Globoticket application. In this lab we will investigate the issue and see how we can resolve this with the help of Copilot.

Steps

Step 1: 💬 Let Copilot explain the vulnerability

  • Locate and open SqlOrderSubmissionService.cs under frontend/Services/Ordering

  • Ask Copilot chat if there is any security issue with this code; immediately it will discover what is wrong

  • Inspect Copilot's answer and suggestions on how to resolve the problem

  • In addition, ask Copilot the following questions:

    • "How can I exploit this bug?" ❓ How does it respond? ❓ Why do you think it gives this response?
    • "What kind of input could lead to problems? ❓ How does it respond now?

Step 2: 🔒 Fix the SQL injection vulnerability

  • Finally, ask Copilot to rewrite the method so that it's safe
  • Inspect Copilot's suggestion and apply if you're happy with it
  • Make a PR with your fix and merge it to the main branch
Clone this wiki locally