java.lang.security.audit.sqli.vertx-sqli.vertx-sqli

profile photo of returntocorpreturntocorp
Author
649
Download Count*
LGPL Commons Clause
License

Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: vertx-sqli
    message: Detected a formatted string in a SQL statement. This could lead to SQL
      injection if variables in the SQL statement are not properly sanitized.
      Use a prepared statements (java.sql.PreparedStatement) instead. You can
      obtain a PreparedStatement using 'connection.prepareStatement'.
    languages:
      - java
    severity: WARNING
    patterns:
      - pattern-either:
          - patterns:
              - pattern-either:
                  - pattern-inside: |
                      String $SQL = $X + $Y;
                      ...
                  - pattern-inside: |
                      String $SQL = String.format(...);
                      ...
                  - pattern-inside: |
                      $TYPE $FUNC(...,String $SQL,...) {
                        ...
                      }
              - pattern-not-inside: |
                  String $SQL = "..." + "...";
                  ...
              - pattern: $SC.$METHOD($SQL,...)
          - pattern: |
              $SC.$METHOD(String.format(...),...);
          - pattern: |
              $SC.$METHOD($X + $Y,...);
      - pattern-either:
          - pattern-inside: |
              SqlClient $SC = ...;
              ...
          - pattern-inside: |
              SqlConnection $SC = ...;
              ...
          - pattern-inside: |
              $TYPE $FUNC(...,SqlClient $SC,...) {
                ...
              }
          - pattern-inside: |
              $TYPE $FUNC(...,SqlConnection $SC,...) {
                ...
              }
      - pattern-not: |
          $SC.$METHOD("..." + "...",...);
      - metavariable-regex:
          metavariable: $METHOD
          regex: ^(query|preparedQuery|prepare)$
    metadata:
      cwe:
        - "CWE-89: Improper Neutralization of Special Elements used in an SQL
          Command ('SQL Injection')"
      category: security
      technology:
        - vertx
      owasp:
        - A01:2017 - Injection
        - A03:2021 - Injection
      references:
        - https://owasp.org/Top10/A03_2021-Injection
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - audit
      likelihood: LOW
      impact: HIGH
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

vertx-sqli.java

package testcode.sqli;

import io.vertx.sqlclient.SqlClient;
import io.vertx.sqlclient.SqlConnection;

public class VertxSqlClient {

    public void injection1(SqlClient client, String injection) {
        // ruleid: vertx-sqli
        client.query(injection);
    }

    public void injection2(SqlClient client, String injection) {
        // ruleid: vertx-sqli
        client.preparedQuery(injection);
    }

    public void injection3(SqlConnection conn, String injection) {
        // ruleid: vertx-sqli
        conn.prepare(injection);
    }

    public void injection4(SqlConnection conn, String injection) {
        // ruleid: vertx-sqli
        conn.prepare(injection, null);
    }

    public void falsePositive1(SqlClient client) {
        String constantValue = "SELECT * FROM test";
        // ok: vertx-sqli
        client.query(constantValue);
    }

    public void falsePositive2(SqlConnection conn) {
        String constantValue = "SELECT * FROM test";
        // ok: vertx-sqli
        conn.query(constantValue);
    }
}