search

hawkeyesec / scanner-cli

A project security/vulnerability/risk scanning tool
Other
358 stars 89 forks source link

Detecting security issues on official JDBC drivers? #159

Open PedroD opened 4 years ago

PedroD commented 4 years ago

I'm submitting a security report

Describe the issue find-secbugs is detecting issues in the official Postgres JDBC drivers, in functions related to prepared statements.

What does this mean and what can one do about it?

module                      level     offender                                                                                                                                            description                                                                                                                                                                                               mitigation                                                                                                                             
--------------------------  --------  --------------------------------------------------------------------------------------------------------------------------------------------------  --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  ---------------------------------------------------------------------------------------------------------------------------------------
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String)                                                org.postgresql.jdbc.PgDatabaseMetaData.getColumnPrivileges(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                               Check line(s) 1670                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String)                                                         org.postgresql.jdbc.PgDatabaseMetaData.getColumns(String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                                        Check line(s) 1537                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String)                                                               org.postgresql.jdbc.PgDatabaseMetaData.getFunctions(String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement                                              Check line(s) 2645                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String)                            org.postgresql.jdbc.PgDatabaseMetaData.getImportedExportedKeys(String, String, String, String, String, String) passes a nonconstant String to an execute or addBatch method on an SQL statement           Check line(s) 2180                                                                                                                     
java-find-secbugs           medium    In method org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean)                                             org.postgresql.jdbc.PgDatabaseMetaData.getIndexInfo(String, String, String, boolean, boolean) passes a nonconstant String to an execute or addBatch method on an SQL statement                            Check line(s) 2401                                                                                                                     
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.commitPrepared(Xid)                                                                                      org.postgresql.xa.PGXAConnection.commitPrepared(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                     Check line(s) 586                                                                                                                      
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.prepare(Xid)                                                                                             org.postgresql.xa.PGXAConnection.prepare(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                            Check line(s) 352                                                                                                                      
java-find-secbugs           high      In method org.postgresql.xa.PGXAConnection.rollback(Xid)                                                                                            org.postgresql.xa.PGXAConnection.rollback(Xid) passes a nonconstant String to an execute or addBatch method on an SQL statement                                                                           Check line(s) 457

Driver Version? 42.2.10.jre7

Java Version? 12

To Reproduce Run docker run --rm -v $PWD:/target hawkeyesec/scanner-cli:latest In a project using this driver

Expected behaviour No security errors

bekh6ex commented 4 years ago

Hi! Thank you for the report.

My initial assumption is that find-sec-bugs finds this code suspicious and points out potential SQL injection. I would expect that it is built with "better safe then sorry" approach in mind so might fire some false positives if it sees some indicators but cannot really prove the absence of an issue. I would suggest to look in those places and try to identity if those issues really exist and/or are relevant or not for your use-case.

I cannot verify it right now though.