search

openrewrite / rewrite-sql

OpenRewrite recipes for SQL.
Apache License 2.0
7 stars 4 forks source link

Detect SQL injection as part of OWASP Top Ten recipe #13

Open aman-pebicloud opened 1 month ago

aman-pebicloud commented 1 month ago

What version of OpenRewrite are you using?

I am using

How are you running OpenRewrite?

I am using the Maven plugin, and my project is a single module project.

            <plugin>
                <groupId>org.openrewrite.maven</groupId>
                <artifactId>rewrite-maven-plugin</artifactId>
                <version>5.35.0</version>
                <configuration>
                    <activeRecipes>
                        <recipe>org.openrewrite.java.security.OwaspTopTen</recipe>
                    </activeRecipes>
                </configuration>
                <dependencies>
                    <dependency>
                        <groupId>org.openrewrite.recipe</groupId>
                        <artifactId>rewrite-java-security</artifactId>
                        <version>2.10.3</version>
                    </dependency>
                </dependencies>
            </plugin>

mvn rewrite:run

What is the smallest, simplest way to reproduce the problem?

I've a SQL injection vulnerability in my code snippet and it doesn't get fixed by org.openrewrite.java.security.OwaspTopTen recipe. 

public void vulnerableMethod(String userInput) {
        try (Connection connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/mydb", "user", "password")) {
            Statement statement = connection.createStatement();
            String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
            ResultSet resultSet = statement.executeQuery(query);

            while (resultSet.next()) {
                System.out.println("User: " + resultSet.getString("username"));
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

What did you expect to see?

I expect the vulnerable code to be detected and corrected by rewrite.

What did you see instead?

The vulnerability didn't get detected

What is the full stack trace of any errors you encountered?

No errors.

What am I looking for?

If this is an issue, please address this. Can I see some examples where this recipe is used and try to validate this working.

timtebeek commented 1 month ago

Hi @aman-pebicloud ; the owasp top ten recipe is a composite of other recipes. In your case you're probably looking to add a detection & correction recipe to rewrite-sql first, before including that in owasp top ten. I'll move this issue accordingly.

aman-pebicloud commented 1 month ago

My bad, I wanted to post in rewrite-java-security, somehow landed here. Thanks for moving it.