Open
Description
False positive on Query built by concatenation with a possibly-untrusted string
- java/concatenated-sql-query
We have a constant value from enum
public enum CommentType {
REVIEW_SIMPLE_COMMENT("comment.review.simple"),
SIMPLE_COMMENT("comment.simple");
private final String type;
private CommentType(String type) {
this.type = type;
}
public String getType() {
return this.type;
}
}
Used in query
sql.append(" AND REVIEW_COMMENT.COMMENT_TYPE = '").append(CommentType.REVIEW_SIMPLE_COMMENT.getType()).append("') ");
And CodeQL is stating Query built by concatenation with a possibly-untrusted string
in CommentType.REVIEW_SIMPLE_COMMENT.getType()
. From my understanding the enum is immutable. Could you take a look?