search

find-sec-bugs / find-sec-bugs

The SpotBugs plugin for security audits of Java web applications and Android applications. (Also work with Kotlin, Groovy and Scala projects)
https://find-sec-bugs.github.io/
GNU Lesser General Public License v3.0
2.28k stars 473 forks source link

False positive spring jdbctemplate SQL Injection #538

Closed dcherix closed 4 years ago

dcherix commented 4 years ago

Environment

Component Version
Maven ?????
Gradle 6.0.1
Java 8
SpotBugs 3.1.12
FindSecBugs 1.8.0

Problem

[Find Security Bugs | Security | SQL_INJECTION_SPRING_JDBC] when using PreparedStatementSetter our BatchPreparedStatementSetter. Due to the use of PreparedStatement it's a false positive error.

Code

public class BugSample1 {
 private JdbcTemplate jdbcTemplate;

  public void someSqlCode(Object o){
     this.jdbcTemplate.update(substitutor.replace(DELETE_PERMISSION), ps -> {
            ps.setString(1, o.getType());
            ps.setLong(2, o.getIdentifier());
        });
}
}
h3xstream commented 4 years ago

Is the value DELETE_PERMISSION a constant string (final static) ?

dcherix commented 4 years ago

Yes it is

yahanvesh commented 4 years ago

Any update on this?

h3xstream commented 4 years ago

Not yet evaluate in depth .. mark so that I don't forget about it.

h3xstream commented 4 years ago

@dcherix Can I get a confirmation of the type of the variable substitutor ? It look like it could be a instance of StrSubstitutor / StringSubstitutor.

h3xstream commented 4 years ago

Both classes are now supported.