java.jboss.security.session_sqli.find-sql-string-concatenation
returntocorpAuthor
649
Download Count*
License
In $METHOD, $X is used to construct a SQL query via string concatenation.
Run Locally
Run in CI
Defintion
rules:
- id: find-sql-string-concatenation
message: In $METHOD, $X is used to construct a SQL query via string concatenation.
languages:
- java
severity: ERROR
pattern-either:
- pattern: >
$RETURN $METHOD(...,String $X,...){
...
Session $SESSION = ...;
...
String $QUERY = ... + $X + ...;
...
PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);
...
ResultSet $RESULT = $PS.executeQuery();
...
}
- pattern: >
$RETURN $METHOD(...,String $X,...){
...
String $QUERY = ... + $X + ...;
...
Session $SESSION = ...;
...
PreparedStatement $PS = $SESSION.connection().prepareStatement($QUERY);
...
ResultSet $RESULT = $PS.executeQuery();
...
}
metadata:
category: security
technology:
- jboss
confidence: MEDIUM
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- vuln
likelihood: LOW
impact: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
session_sqli.java
package servlets;
import java.io.File;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.io.FilenameUtils;
public class Cls extends HttpServlet
{
private static org.apache.log4j.Logger log = Logger.getLogger(Register.class);
// ruleid:find-sql-string-concatenation
protected void danger(String ean) {
Session session = this.sessionFactory.openSession();
String query = "select foo from bar where" + ean + " limit 1";
try {
PreparedStatement ps = session.connection().prepareStatement(query);
ResultSet rs = ps.executeQuery();
while (rs.next()) {
Integer item = rs.getInt("foo");
}
} catch (SQLException e) {
logger.error("Error!", e);
} finally {
session.close();
}
}
// ruleid:find-sql-string-concatenation
protected void danger2(String biz) {
String query = "select foo from bar where" + biz + " limit 1";
Session session = this.sessionFactory.openSession();
try {
PreparedStatement ps = session.connection().prepareStatement(query);
ResultSet rs = ps.executeQuery();
while (rs.next()) {
Integer item = rs.getInt("foo");
}
} catch (SQLException e) {
logger.error("Error!", e);
} finally {
session.close();
}
}
// ok:find-sql-string-concatenation
protected void ok(String foo) throws ServletException, IOException {
String query = "select foo from bar where ? limit 1";
Session session = this.sessionFactory.openSession();
try {
PreparedStatement ps = session.connection().prepareStatement(query);
ps.setString(1,foo);
ResultSet rs = ps.executeQuery();
while (rs.next()) {
return rs.getInt("foo");
}
} catch (SQLException e) {
logger.error("Error!", e);
} finally {
session.close();
}
}
}
Short Link: https://sg.run/W8kA