gitlab.find_sec_bugs.CUSTOM_INJECTION-2

unknown

Download Count*

MIT

License

The method identified is susceptible to injection. The input should be validated and properly escaped.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: find_sec_bugs.CUSTOM_INJECTION-2
    patterns:
      - pattern-not-inside: |
          final String $VAR = ...;
      - pattern-either:
          - pattern: |
              "$SQL_STR" + ...
          - pattern: String.format("$SQL_STR", ...)
          - pattern: |
              "$SQL_STR".concat(...)
          - pattern: (StringBuilder $BUILDER). ... .append("$SQL_STR")
          - patterns:
              - pattern-inside: |
                  StringBuilder $BUILDER = new StringBuilder("$SQL_STR");
                  ...
              - pattern: $BUILDER.append(...)
          - patterns:
              - pattern-inside: |
                  $QUERY = "$SQL_STR";
                  ...
              - pattern: $QUERY += ...
      - metavariable-regex:
          metavariable: $SQL_STR
          regex: (?i)(select|insert|create|update|alter|delete|drop)\b
    message: >
      The method identified is susceptible to injection. The input should be
      validated and properly

      escaped.
    languages:
      - java
    severity: WARNING
    metadata:
      category: security
      cwe: "CWE-89: Improper Neutralization of Special Elements used in an SQL Command
        ('SQL Injection')"
      technology:
        - java
      primary_identifier: find_sec_bugs.CUSTOM_INJECTION-2
      secondary_identifiers:
        - name: Find Security Bugs-CUSTOM_INJECTION
          type: find_sec_bugs_type
          value: CUSTOM_INJECTION
      license: MIT

Short Link: https://sg.run/KyG6