CODEWITHSUNDEEP
javasql-injectioncheckmarx
Yi-An Lin
Yi-An Lin

Reputation: 9

Checkmarx shows the code has risks for second order injection

Checkmark scanned our codes and showed these code have risks for second order injection the code like this

@SuppressWarnings("unchecked")
public List<Map<String, Object>> findBySQL(String sql, List<ScalarType> types, List<Object> values, Info info) throws ApplicationException {
    try {
        SQLQuery query = currentSession().createSQLQuery(sql);
        if (types != null) {
            for (ScalarType scalar : types) {
                query.addScalar(scalar.getColumn(), scalar.getType());
            }
        }

        if (values != null) {
            for (int i = 0; i < values.size(); i++) {
                query.setParameter(i, values.get(i));
            }
        }
        query.setResultTransformer(Transformers.ALIAS_TO_ENTITY_MAP);
        return query.list();
    } catch (Exception e) {
        throw new ApplicationException(e, info);
    }
}

Our code use the preparedStatement to execute sql. But why these code still have the risks, and how can I fix it?

Upvotes: 1

Views: 8010

Answers (2)

Prasann
Prasann

Reputation: 1291

The Checkmarx throws the error because the values you are setting to the query parameters are not validated for its type.

For example, let us assume the query formed with your PreparedStatement is as below and the value you want to pass to the query parameter is 'Test'

Select * from XYZ where COL1 = ?

If your code is compromised and if the intruder passes 'Test' OR 1 = 1 in the query parameter, then the condition will always be true and it would return all the records from the Table.

So, before executing the query you should validate all your inputs.

Hope this helps

Upvotes: 2

SPoint
SPoint

Reputation: 600

For solving your issue in Checkmarx, you need to validate that sql String

Upvotes: 0

Related Questions