java.lang.security.audit.sqli.turbine-sqli.turbine-sqli
returntocorpAuthor
649
Download Count*
License
Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.
Run Locally
Run in CI
Defintion
rules:
- id: turbine-sqli
pattern-either:
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
String $SQL = $X + $Y;
...
- pattern-inside: |
String $SQL = String.format(...);
...
- pattern-inside: |
$VAL $FUNC(...,String $SQL,...) {
...
}
- pattern-not-inside: |
String $SQL = "..." + "...";
...
- pattern: $PEER.executeQuery($SQL,...)
- pattern: |
$PEER.executeQuery(String.format(...),...)
- pattern: |
$PEER.executeQuery($X + $Y,...)
- pattern-not: |
$PEER.executeQuery("..." + "...",...)
- metavariable-regex:
metavariable: $PEER
regex: (BasePeer|GroupPeer)
- patterns:
- pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
String $SQL = $X + $Y;
...
- pattern-inside: |
String $SQL = String.format(...);
...
- pattern-inside: |
$VAL $FUNC(...,String $SQL,...) {
...
}
- pattern-not-inside: |
String $SQL = "..." + "...";
...
- pattern: $P.executeQuery($SQL,...)
- pattern: |
$P.executeQuery(String.format(...),...)
- pattern: |
$P.executeQuery($X + $Y,...)
- pattern-either:
- pattern-inside: |
BasePeer $P = ...;
...
- pattern-inside: |
GroupPeer $P = ...;
...
- pattern-inside: |
$VAL $FUNC(...,GroupPeer $P,...) {
...
}
- pattern-inside: |
$VAL $FUNC(...,BasePeer $P,...) {
...
}
- pattern-not: |
$P.executeQuery("..." + "...",...)
message: Detected a formatted string in a SQL statement. This could lead to SQL
injection if variables in the SQL statement are not properly sanitized.
Use a prepared statements (java.sql.PreparedStatement) instead. You can
obtain a PreparedStatement using 'connection.prepareStatement'.
languages:
- java
severity: WARNING
metadata:
cwe:
- "CWE-89: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')"
category: security
technology:
- turbine
owasp:
- A01:2017 - Injection
- A03:2021 - Injection
references:
- https://owasp.org/Top10/A03_2021-Injection
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: HIGH
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
Examples
turbine-sqli.java
package testcode.sqli.turbine;
import org.apache.turbine.om.peer.BasePeer;
import org.apache.turbine.om.security.peer.GroupPeer;
public class TurbineSql {
public void injection111(BasePeer peer1, String injection) {
// ruleid: turbine-sqli
peer1.executeQuery(injection);
// ruleid: turbine-sqli
peer1.executeQuery(injection,false,null);
// ruleid: turbine-sqli
peer1.executeQuery(injection,0,0,false,null);
// ruleid: turbine-sqli
peer1.executeQuery(injection,0,0,"",false);
// ruleid: turbine-sqli
peer1.executeQuery(injection,"");
// ruleid: turbine-sqli
peer1.executeQuery(injection,"",false);
}
public void injection2(GroupPeer peer2, String injection) {
// ruleid: turbine-sqli
peer2.executeQuery(injection);
// ruleid: turbine-sqli
peer2.executeQuery(injection,false,null);
// ruleid: turbine-sqli
peer2.executeQuery(injection,0,0,false,null);
// ruleid: turbine-sqli
peer2.executeQuery(injection,0,0,"",false);
// ruleid: turbine-sqli
peer2.executeQuery(injection,"");
// ruleid: turbine-sqli
peer2.executeQuery(injection,"",false);
}
public void injection3(String injection) {
// ruleid: turbine-sqli
BasePeer.executeQuery(injection);
// ruleid: turbine-sqli
BasePeer.executeQuery(injection,false,null);
// ruleid: turbine-sqli
BasePeer.executeQuery(injection,0,0,false,null);
// ruleid: turbine-sqli
BasePeer.executeQuery(injection,0,0,"",false);
// ruleid: turbine-sqli
BasePeer.executeQuery(injection,"");
// ruleid: turbine-sqli
BasePeer.executeQuery(injection,"",false);
}
public void injection4(String injection) {
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection);
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection,false,null);
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection,0,0,false,null);
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection,0,0,"",false);
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection,"");
// ruleid: turbine-sqli
GroupPeer.executeQuery(injection,"",false);
}
public void falsePositive(BasePeer peer0) {
String constantValue = "SELECT * FROM test";
// ok: turbine-sqli
peer0.executeQuery(constantValue);
// ok: turbine-sqli
peer0.executeQuery(constantValue,false,null);
// ok: turbine-sqli
peer0.executeQuery(constantValue,0,0,false,null);
// ok: turbine-sqli
peer0.executeQuery(constantValue,0,0,"",false);
// ok: turbine-sqli
peer0.executeQuery(constantValue,"");
// ok: turbine-sqli
peer0.executeQuery(constantValue,"",false);
}
}
Short Link: https://sg.run/W8zL