Description:
Tainted input "getParameter" was received in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:
the value is then passed on to the value of "password" in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
which is further passed on to the value of "password" in line 45 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
which is further passed on to the value of "password" in line 60 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
which is further passed on to the value of "name" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name
and finally passed unsanitized into a sensitive sink function "stmt.executeQuery" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java, causing a High severity SQL Injection vulnerability. executeQuery method of Statement object could be abused to perform a SQL Injection attack:
rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name
Mitigation Recommendations:
Using prepared statements (with parameterized queries)
Correct filtering (escaping) of string literal escape characters in SQL statements, like single quote ('), double quote ("), backslash () and the NULL byte
Checking parameters for valid representation for the give type (integer, float or boolean)
Correct database permissions on logon, which restricts web application or user access to unnecessary data
Mend SAST Finding (Scan-easybuggy-2022/07/18 01:35:26 PM): Vulnerability Type: SQL Injection Vulnerable Sink Call: rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name + "' AND password='" + password + "'"); Input Source: getParameter Vulnerable Project File: src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java Function Call Stack: 0 - stmt.executeQuery (Line: 69) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java 1 - selectUsers (Line: 45) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
User Input Flow: 0 - getParameter (Line: 28) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java 1 - password (Line: 28) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java 2 - password (Line: 45) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java 3 - password (Line: 60) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java 4 - name (Line: 69) - src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
Description: Tainted input "getParameter" was received in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java:
String password = StringUtils.trim(req.getParameter("password"));the value is then passed on to the value of "password" in line 28 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
String password = StringUtils.trim(req.getParameter("password"));which is further passed on to the value of "password" in line 45 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
bodyHtml.append(selectUsers(name, password, req));which is further passed on to the value of "password" in line 60 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
private String selectUsers(String name, String password, HttpServletRequest req) {which is further passed on to the value of "name" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java
rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + nameand finally passed unsanitized into a sensitive sink function "stmt.executeQuery" in line 69 of the file src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java, causing a High severity SQL Injection vulnerability. executeQuery method of Statement object could be abused to perform a SQL Injection attack:
rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + nameMitigation Recommendations:
Further Reading:
CWE-89 SQL Injection weakness found.