CODEWITHSUNDEEP
javapostgresqlspring-bootprepared-statementcheckmarx
Dwijraj Bhattacharyya
Dwijraj Bhattacharyya

Reputation: 359

Checkmarx Postgres Query forming error SQL Injection error , SQL Second order injection error Java Springboot

I've some APIs that perform Database operations . Whenever I upload my code to checkmarx I get the following error and it is flagged as a high vulnerability error Can anyone help me ?

Error

The application's CreateDatabaseAndMapToDomain method executes an SQL query with executeQuery, at line 717 of daas-springboot-CheckMarxIntegration\src\main\java\com\it\daas\apis\service\PostgresConnectionServiceImpl.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.

The attacker may be able to write arbitrary data to the database, which is then retrieved by the application with executeQuery in getDomains method at line 678 of daas-springboot-CheckMarxIntegration\src\main\java\com\it\daas\apis\service\PostgresConnectionServiceImpl.java. This data then flows through the code, until it is used directly in the SQL query without sanitization, and then submitted to the database server for execution

Here're my functions 

    @Override
public String getDomains() throws SQLException {

    String domainquery = "SELECT id,domain FROM domain";
    Connection con = null;
    PreparedStatement st = null;
    ResultSet result = null;
    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);
        st = con.prepareStatement(domainquery);
        result = st.executeQuery();

        ArrayList<DatabaseDomainBean> list = new ArrayList<DatabaseDomainBean>();
        while (result.next()) {
            list.add(new DatabaseDomainBean(result.getString("domain"), result.getString("id")));
        }
        return new JSONObject().put("domainlist", list).toString();


    }
    catch(Exception e)
    {

        e.printStackTrace();
        return null;
    }
    finally{

        result.close();
        st.close();
        con.close();

    }


}

@Override
public String CreateDatabaseAndMapToDomain(String database, String[] domainIds, String password)
        throws SQLException {

    if (!this.apibuilderPassword.equals(password)) {
        return null;
    }
    else if(database==null || domainIds==null || password ==null)
    {
        return "Failure";
    }


    Connection con =null;
    PreparedStatement st =null;
    ResultSet ispresent =null;
    PreparedStatement mapquerystmnt =null;
    ResultSet resultMapping = null;

    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);

        for (int i = 0; i < domainIds.length; i++) {

            con.setSchema(this.schema);

            String IfExists = MessageFormat.format(
                    "SELECT databasename,domainid FROM Databases WHERE databasename IN (?) AND domainid IN (?)",
                    Utilitymethods.ConvertToMessageFormatCompatibleForm(database),
                    Utilitymethods.ConvertToMessageFormatCompatibleForm(domainIds[i]));

            st = con.prepareStatement(IfExists);
            st.setString(1, database);
            st.setInt(2, Integer.parseInt(domainIds[i]));
            ispresent = st.executeQuery();

            if (!ispresent.next()) {
                // INSERT INTO Databases (databasename,domainid) VALUES ('Teradata','1')
                String mapquery = MessageFormat.format(
                        "INSERT INTO Databases (databasename,domainid) VALUES (?,?) returning Id",
                        Utilitymethods.ConvertToMessageFormatCompatibleForm(database),
                        Utilitymethods.ConvertToMessageFormatCompatibleForm(domainIds[i]));
                 mapquerystmnt = con.prepareStatement(mapquery);
                 mapquerystmnt.setString(1, database);
                 mapquerystmnt.setInt(2, Integer.parseInt(domainIds[i]));
                 resultMapping =  mapquerystmnt.executeQuery();
            }

        }

        return "Success";

    }
    catch(Exception e)
    {
        e.printStackTrace();
        return "Failure";

    }
    finally
    {

        ispresent.close();
        st.close();
        resultMapping.close();
        mapquerystmnt.close();
        con.close();
    }





}


@Override
public String getDomains() throws SQLException {

    String domainquery = "SELECT id,domain FROM domain";
    Connection con = null;
    PreparedStatement st = null;
    ResultSet result = null;
    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);
        st = con.prepareStatement(domainquery);
        result = st.executeQuery();

        ArrayList<DatabaseDomainBean> list = new ArrayList<DatabaseDomainBean>();
        while (result.next()) {
            list.add(new DatabaseDomainBean(result.getString("domain"), result.getString("id")));
        }
        return new JSONObject().put("domainlist", list).toString();


    }
    catch(Exception e)
    {

        e.printStackTrace();
        return null;
    }
    finally{

        result.close();
        st.close();
        con.close();

    }


}

Upvotes: 1

Views: 7393

Answers (1)

Pradeep Kumar
Pradeep Kumar

Reputation: 26

Try with st = con.prepareStatement("SELECT id,domain FROM domain") directly. Looks like checkmarx confused due to String domainquery = "SELECT id,domain FROM domain" statement and the possibility of sql injection.

Upvotes: 1

Related Questions