Extending Puma Scan with custom sinks
Puma Scan traces data as it flows through the code, from its source (the origin of the data in the system, for example, an HTTP request) to the sink (the output or endpoint for the data, such as to an HTTP response or a database).
Let's modify our code to use a custom extension method, and then add a sink to the SQL injection rule so Puma Scan knows about it:
- Open the
Controllers/WritingInstrumentController.cs
file and comment out the line withFromSqlRaw
in it. Also, uncomment theFromSqlWriting
method. This method is a simple extension method that just callsFromSqlWriting
. When you are done it should look like this://var instrument = await context.Crayons. FromSqlRaw("SELECT * FROM Crayons WHERE HTMLColor = '" + Color + "'").FirstOrDefaultAsync(); var instrument = await context.Crayons. FromSqlWriting("SELECT * FROM Crayons...