Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Review spring-jdbc vulnerabilities report [SPR-16436] #20982

Closed
spring-projects-issues opened this issue Jan 30, 2018 · 1 comment
Closed

Review spring-jdbc vulnerabilities report [SPR-16436] #20982

spring-projects-issues opened this issue Jan 30, 2018 · 1 comment
Assignees
Labels
in: data

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Jan 30, 2018

Pavel Shelentsov opened SPR-16436 and commented

We use maven dependency on spring-jdbc module and have recently scanned this using static veracode analyzer. There are some vulnerabilities there including flaws with high severity (possible SQL Injections), these can be false positive, but need to be checked.

Detailed vulnerabilities report [^spring-jdbc_5.0.3.RELEASE.pdf] is attached to the issue.


Affects: 5.0.3

Attachments:

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Jan 30, 2018

Juergen Hoeller commented

The SQL injection points are all false positives, as far as I can tell. The analysis tool doesn't seem to realize that these statements are being populated through PreparedStatement parameters through callbacks before being executed. The ScriptUtils point is fundamentally valid; however, that utility is only meant for database initialization scripts provided by the application setup and not for user input.

With respect to log output neutralization, we just log the application-provided SQL statement (with parameter placeholders but not containing user input) as well as metadata provided by the JDBC driver. None of this needs to be neutralized from my perspective. Once again, ScriptUtils is a special case since the log statements there are expected to come from an application-embedded script file which is not expected to contain malicious code.

The resource leak is also a false positive since that Statement will get reliably closed through JdbcUtils.closeStatement in the finally block. The analysis tool seems to get confused by the delegated close calls there.

@spring-projects-issues spring-projects-issues added in: data type: task labels Jan 11, 2019
@spring-projects-issues spring-projects-issues removed the type: task label Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: data
Projects
None yet
Development

No branches or pull requests

2 participants