SQL Injection error

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SQL Injection error

mnelli
I have this code (I have creted this code only for test this problem):

public String eseguiQuery(Connection con, String nome,  String cognome) throws SQLException {
 
                User user1 = new User();
                user1.setNome(nome);
                user1.setCognome(cognome);
               
                Statement stmt1 = null;
                Statement stmt2 = null;
                PreparedStatement pstmt;
                 
                stmt2 = con.createStatement();
                ResultSet rs11 = stmt2.executeQuery("select UTENTE " +
                         "from USERS where NOME=" + nome);  
 
                                 
                 ResultSet rs2 = stmt2.executeQuery("select UTENTE " +
                                 "from USERS where NOME=" + user1.getNome());  
 
                  return "OK";
}

the first executeQuery is recognise as a SQL Injection but in the second the SQL Injection is not recognised

why?
Is it a bug?

Thank you.

(SonarQube version 5.1
Java plugin 3.2)



Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] SQL Injection error

Nicolas Peru
Hi, 

This is an expected behaviour as, given the current state of the java analyzer (no cross file nor cross method analysis), we have no way to determine that the getNome() method is simple getter or is doing some logic to escape the string (and/or that it relates to the setNome method). So in order to avoid false positive we avoid raising issues when we cannot say anything like when the value is returned from a method. 
This lead to some limitation of the rule that will detect only the most obvious cases but avoid too much false positive.

Cheers, 

Nicolas PERU | SonarSource
Senior Developer
http://sonarsource.com


2015-05-11 15:24 GMT+02:00 mnelli <[hidden email]>:
I have this code (I have creted this code only for test this problem):

public String eseguiQuery(Connection con, String nome,  String cognome)
throws SQLException {

                User user1 = new User();
                user1.setNome(nome);
                user1.setCognome(cognome);

                Statement stmt1 = null;
                Statement stmt2 = null;
                PreparedStatement pstmt;

                stmt2 = con.createStatement();
                ResultSet rs11 = stmt2.executeQuery("select UTENTE " +
                         "from USERS where NOME=" + nome);


                 ResultSet rs2 = stmt2.executeQuery("select UTENTE " +
                                 "from USERS where NOME=" + user1.getNome());

                  return "OK";
}

the first executeQuery is recognise as a SQL Injection but in the second the
SQL Injection is not recognised

why?
Is it a bug?

Thank you.

(SonarQube version 5.1
Java plugin 3.2)







--
View this message in context: http://sonarqube.15.x6.nabble.com/SQL-Injection-error-tp5035210.html
Sent from the SonarQube Developers mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] SQL Injection error

Michael Gumowski
In reply to this post by mnelli
Hello mneli,

This is actually not a bug. In your second situation, we can not tell if the result value of your method invocation is actually sanitized or not.
Because of that uncertainty, and to not raise loads of false-positives, we simply do not raise any issue when using method invocations to build statements.

Regards,

Michael GUMOWSKI | SonarSource
Software Developer @ Language Team
http://sonarsource.com

On 11 May 2015 at 15:24, mnelli <[hidden email]> wrote:
I have this code (I have creted this code only for test this problem):

public String eseguiQuery(Connection con, String nome,  String cognome)
throws SQLException {

                User user1 = new User();
                user1.setNome(nome);
                user1.setCognome(cognome);

                Statement stmt1 = null;
                Statement stmt2 = null;
                PreparedStatement pstmt;

                stmt2 = con.createStatement();
                ResultSet rs11 = stmt2.executeQuery("select UTENTE " +
                         "from USERS where NOME=" + nome);


                 ResultSet rs2 = stmt2.executeQuery("select UTENTE " +
                                 "from USERS where NOME=" + user1.getNome());

                  return "OK";
}

the first executeQuery is recognise as a SQL Injection but in the second the
SQL Injection is not recognised

why?
Is it a bug?

Thank you.

(SonarQube version 5.1
Java plugin 3.2)







--
View this message in context: http://sonarqube.15.x6.nabble.com/SQL-Injection-error-tp5035210.html
Sent from the SonarQube Developers mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: [sonar-dev] SQL Injection error

mnelli
Thank you, but in this case I think that it would be better have a "false-positive" instead of no alert.
in fact in this case I don't find the real SQL injection that really exist (in this case) .

Is very probably that I pass a parameter in a SQL string directly from a method and I think that it would be better that this fact would be reported

For example this extra-PMD security rule (with PMD, not SONAR) recognise this:
https://github.com/GDSSecurity/GDS-PMD-Security-Rules

So, is there a way to add these rule to SONAR?

Thank you!