Mend SAST Finding (Severity: High, Type: SQL Injection)

[lukebrogan-mend]

Mend SAST Finding (Scan-easybuggy-2023/05/12 10:21:05 AM):

Vulnerability Type: SQL Injection Vulnerable Project File: src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:69 Vulnerable Sink Call: java.sql.Statement.executeQuery Data Flows: 1

Description: A sensitive sink function was discovered in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java. It causes a High severity SQL Injection vulnerability.

'executeQuery' method of 'java.sql.Statement' object could be abused to perform a SQL Injection attack:

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

Data Flow: Tainted input "getParameter" was received in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:

String password = StringUtils.trim(req.getParameter("password"));

the value is then used in the function "org.apache.commons.lang.StringUtils.trim" in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

String password = StringUtils.trim(req.getParameter("password"));

which is further passed on to the value of "password" in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

String password = StringUtils.trim(req.getParameter("password"));

which is further used in the function "selectUsers" in line 45 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

bodyHtml.append(selectUsers(name, password, req));

which is further passed to the function as "password" in line 60 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

private String selectUsers(String name, String password, HttpServletRequest req) {

which is further passed on to the value of **""SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

• "' AND password='" + password + "'"" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java**

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

and finally passed unsanitized into a sensitive sink function "java.sql.Statement.executeQuery" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java, causing a High severity SQL Injection vulnerability.

'executeQuery' method of 'java.sql.Statement' object could be abused to perform a SQL Injection attack:

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

Mitigation Recommendations:

• Using prepared statements (with parameterized queries)
• Correct filtering (escaping) of string literal escape characters in SQL statements, like single quote ('), double quote ("), backslash () and the NULL byte
• Checking parameters for valid representation for the give type (integer, float or boolean)
• Correct database permissions on logon, which restricts web application or user access to unnecessary data

Further Reading:

• https://owasp.org/www-community/attacks/SQL_Injection
• https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html