2021-02-16 17:52:17 +01:00
|
|
|
include::../description.adoc[]
|
2020-06-30 12:48:07 +02:00
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
public User getUser(Connection con, String user) throws SQLException {
|
|
|
|
|
|
|
|
|
|
Statement stmt1 = null;
|
|
|
|
|
Statement stmt2 = null;
|
|
|
|
|
PreparedStatement pstmt;
|
|
|
|
|
try {
|
|
|
|
|
stmt1 = con.createStatement();
|
|
|
|
|
ResultSet rs1 = stmt1.executeQuery("GETDATE()"); // No issue; hardcoded query
|
|
|
|
|
|
|
|
|
|
stmt2 = con.createStatement();
|
|
|
|
|
ResultSet rs2 = stmt2.executeQuery("select FNAME, LNAME, SSN " +
|
|
|
|
|
"from USERS where UNAME=" + user); // Sensitive
|
|
|
|
|
|
|
|
|
|
pstmt = con.prepareStatement("select FNAME, LNAME, SSN " +
|
|
|
|
|
"from USERS where UNAME=" + user); // Sensitive
|
|
|
|
|
ResultSet rs3 = pstmt.executeQuery();
|
|
|
|
|
|
|
|
|
|
//...
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public User getUserHibernate(org.hibernate.Session session, String data) {
|
|
|
|
|
|
|
|
|
|
org.hibernate.Query query = session.createQuery(
|
|
|
|
|
"FROM students where fname = " + data); // Sensitive
|
|
|
|
|
// ...
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
public User getUser(Connection con, String user) throws SQLException {
|
|
|
|
|
|
|
|
|
|
Statement stmt1 = null;
|
|
|
|
|
PreparedStatement pstmt = null;
|
|
|
|
|
String query = "select FNAME, LNAME, SSN " +
|
|
|
|
|
"from USERS where UNAME=?"
|
|
|
|
|
try {
|
|
|
|
|
stmt1 = con.createStatement();
|
|
|
|
|
ResultSet rs1 = stmt1.executeQuery("GETDATE()");
|
|
|
|
|
|
|
|
|
|
pstmt = con.prepareStatement(query);
|
|
|
|
|
pstmt.setString(1, user); // Good; PreparedStatements escape their inputs.
|
|
|
|
|
ResultSet rs2 = pstmt.executeQuery();
|
|
|
|
|
|
|
|
|
|
//...
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public User getUserHibernate(org.hibernate.Session session, String data) {
|
|
|
|
|
|
|
|
|
|
org.hibernate.Query query = session.createQuery("FROM students where fname = ?");
|
|
|
|
|
query = query.setParameter(0,data); // Good; Parameter binding escapes all input
|
|
|
|
|
|
|
|
|
|
org.hibernate.Query query2 = session.createQuery("FROM students where fname = " + data); // Sensitive
|
|
|
|
|
// ...
|
|
|
|
|
----
|
|
|
|
|
|
2021-09-17 13:44:41 +02:00
|
|
|
== See
|
|
|
|
|
|
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/89[MITRE, CWE-89] - Improper Neutralization of Special Elements used in an SQL Command
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/564.html[MITRE, CWE-564] - SQL Injection: Hibernate
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/20.html[MITRE, CWE-20] - Improper Input Validation
|
|
|
|
|
* https://cwe.mitre.org/data/definitions/943.html[MITRE, CWE-943] - Improper Neutralization of Special Elements in Data Query Logic
|
|
|
|
|
* https://wiki.sei.cmu.edu/confluence/x/ITdGBQ[CERT, IDS00-J.] - Prevent SQL injection
|
|
|
|
|
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
|
|
|
|
|
* Derived from FindSecBugs rules https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JPA[Potential SQL/JPQL Injection (JPA)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_JDO[Potential SQL/JDOQL Injection (JDO)], https://h3xstream.github.io/find-sec-bugs/bugs.htm#SQL_INJECTION_HIBERNATE[Potential SQL/HQL Injection (Hibernate)]
|
2021-06-02 20:44:38 +02:00
|
|
|
|
2021-06-03 09:05:38 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
2021-06-08 15:52:13 +02:00
|
|
|
'''
|
2021-06-02 20:44:38 +02:00
|
|
|
== Comments And Links
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../comments-and-links.adoc[]
|
2021-06-03 09:05:38 +02:00
|
|
|
endif::env-github,rspecator-view[]
|
