Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

Closed
domak opened this issue Dec 13, 2013 · 5 comments
Closed

Improve taint analysis to avoid SQL Injection detected when StringBuilder is used #14

domak opened this issue Dec 13, 2013 · 5 comments
Assignees
@h3xstream
Labels
enhancement New feature or improvement to existing detector.
Milestone
version-1.4.2

Comments

@domak
Copy link

domak commented Dec 13, 2013

Hi,

As soon as I see a StringBuilder in JPA EntityManager.createQuery(), an SQL injection is detected:

StringBuilder buff = new StringBuilder("from Tiers t");
// add conditional where clauses

TypedQuery<Tiers> query1 = em.createQuery(buff.toString(), Tiers.class); // SQL injection detected
query1.getResultList();

Is it possible to improve detector by checking that no input parameter (method parameter or attribute) has been added to the StringBuilder?

On the code I try to verify, there are a lot of where clauses added if a parameter is not null (and the developper uses setParameter() method)
@h3xstream
Copy link
Member

For the moment, the detection of injection was base on code from Findbugs core plugin.
The next thing I'll be working on is improving(/rebuild) the detection of constant string. (including String builder using only constants)
I will include a equivalent sample in the test cases.

@h3xstream h3xstream self-assigned this Aug 19, 2014
@h3xstream h3xstream added this to the version-1.4.2 milestone Apr 29, 2015
@h3xstream h3xstream changed the title SQL Injection detected when I use StringBuilder SQL Injection detected when StringBuilder is used with constant strings Apr 29, 2015
h3xstream added a commit that referenced this issue Apr 30, 2015
@h3xstream
Samples for the elimination of false positives with StringBuilder #14
8175b03
h3xstream added a commit that referenced this issue Jun 29, 2015
@h3xstream
New injection analysis that aim to minimize false positive including …
43e579a 
…the use of StringBuilder/StringBuffer. #14

For the moment, the false positive are mark at priority Low instead of High (regular priority for Injection vulnerability).

Added the capability to test the priority set by detectors. (BugInstanceMatcher)
@h3xstream h3xstream mentioned this issue Jul 10, 2015
Merged
@h3xstream
Copy link
Member

The initial code sample with StringBuilder is now supported. Even much more advanced flow analysis are done in 1.4.2.
The release version will be available very soon.

@h3xstream h3xstream changed the title SQL Injection detected when StringBuilder is used with constant strings Improved taint analysis to avoid SQL Injection detected when StringBuilder is used Aug 18, 2015
@h3xstream h3xstream changed the title Improved taint analysis to avoid SQL Injection detected when StringBuilder is used Improve taint analysis to avoid SQL Injection detected when StringBuilder is used Aug 18, 2015
@ThrawnCA
Copy link

ThrawnCA commented Apr 3, 2018

I'm still getting false positives from SQL_INJECTION_HIBERNATE when assembling a constant string:

private static final String NTP_QUERY = new StringBuilder(
                " select os.name, p.dateProcessed, cd.title || ' ' || cd.givenName || ' ' || cd.familyName, p.amount ")
        .append("   from Statement as st ")
        .append("  inner join st.paymentRequest as pr ")
        .append("  inner join pr.onlineService as os ")
        .append("   left outer join pr.contactDetails as cd ")
        .append("  inner join st.payment as p ")
        .append("  where p.dateProcessed >= :startDate ")
        .append("    and p.dateProcessed <= :endDate")
        .append("  order by p.id")
        .toString();

and then passing it to Hibernate Session createQuery.

@h3xstream
Copy link
Member

h3xstream commented Apr 23, 2018
edited

Field are different beast.

Unless the type is primitive final instance can be altered. Here it is an immutable type String with a twist. In general, we didn't need to worry about constant String because the compiler does optimization were it will copy the content of constant everywhere they are used (inline into the code of methods). This late initialization does not allow the compiler to optimize the use of the string.

I think it is worth to be supported.

@h3xstream
Copy link
Member

h3xstream commented Apr 23, 2018
edited

@ThrawnCA I have created #385

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@h3xstream h3xstream

Labels
enhancement New feature or improvement to existing detector.
Projects
None yet
Milestone
version-1.4.2
Development

No branches or pull requests
3 participants
@domak @h3xstream @ThrawnCA