Azure Security alert on Datagrip

Completed

Hi,

I'm using Datagrip/pycharm for SQL development on Azure SQL databases, and have started getting security alerts from Azure saying: "Potential exploitation of application code vulnerability to SQL Injection was detected. This may indicate a SQL Injection attack on database ....".  When I dig in and look at the SQL, the query has a typo, i.e. I typed in a query and made a mistake, put Azure security thinks it's a possible SQL injection.   I believe this is because the application "Datagrip" (which is also the name reported when I use pycharm) is not recognized as a developer tool, so Azure thinks it's an application without human-type queries.

Is there any way to get datagrip/pycharm to report to be, e.g. SQL Server Management Studio, similar to how it's possible to get Chrome to report to be Firefox by switching the user-agent?

0
15 comments

@8forty
Could you check you set up applicationName advanced property in your data source settings?
E.g.:

0

Great, that's just what I was hoping to find.  Didn't think to look in the data connection settings.

1

 @8forty Write if there're some more issues.

 

0

Hi, in DataGrip in version 2.3 or more isn´t this option. Do you know where is in this versions? Thank you

0

@Smetanka

If there is no any option you can add it in `Advanced` tab.

1

@vasily chernov

 

Thank you, but still inst good for me

0

@Smetanka
What exactly do you need?  Is it wrong version or do you want to remove it?

 

0

@vasily chernov

I and my colleagues using DataGrip, when somebody use a bad query or is connected to db, so I dont know who is it, because everybody has ApplicationName = DataGrip. I want to write nick of user in DataGrip config file and easy detect user witch connected to db.

But I dont know where and what is need to write in config

0

@vasily

 

How to  remove it?

0

One can change or remove `ApplicationName` in data source Advanced tab:


0

There is no 'ApplicationName' option. But the sql still has 'DataGrid' comment: 

 

0

@Funcsu,

For Oracle JDBC driver there is another property v$session.program

 




0

Additionally, anyone who wants to disable application info, needs to disable Send application info option in driver options tab

0

@vasily chernov

Got it!!!

I uncheck the "Send application info" then it works. Thank you!

1

vasily chernov

hi my DG version is 2020.1.3

I can't find applicationName in Properties-Drivers-Mysql-Advanced

and if I set applicationName in Properties-Project Data Source-Advance it doesn't work

0

Please sign in to leave a comment.