Analyzer warnings for string concatenation in raw SQL APIs

[spaasis]

Question

I see there are at least two of warnings that should be given if there's a possibility for an SQL injection attack: CA3001 and EF1002.

No matter how egregious of a hole I'm trying to make, I get zero warnings from ExecuteSqlRaw.

In my editorconfig I have:

dotnet_diagnostic.CA3001.severity = error
dotnet_diagnostic.EF1002.severity = error

And I have set this for all projects via Directory.Build.Props

  <PropertyGroup>
    <AnalysisMode>Recommended</AnalysisMode>
  </PropertyGroup>

The projects are .NET 9 and the Microsoft.EntityFrameworkCore.Analyzers are enabled.

I get a bunch of other warnings but it seems like these injection vulnerabilities are not detected in the first place.

Can anyone actually get these warnings some way?

Your code

await ctx.ExecuteSqlRawAsync("SELECT * FROM ExampleEntities WHERE ID = '" + request.NameSearch + "'", cancellationToken)`

where the request.NameSearch comes directly from the API. Does not get any more obvious than this

EF Core version

9.0.0

Database provider

Microsoft.EntityFrameworkCore.SqlServer

Target framework

.NET 9.0

Operating system

Windows 11

IDE

No response

[roji]

EF1002 is (currently) only about usage of string interpolation within the raw SQL APIs (e.g. ctx.ExecuteSqlRawAsync($"SELECT ... {foo}"), and does not cover concatenation. This is definitely something we should do.

/cc @DoctorKrolic who contributed the interoplated analyzer inplementation.