sevar83 / android-spatialite

Spatialite database JNI wrapper for Android
101 stars 48 forks source link

Utilize Parameterized SQL Queries to Address DAST Issues #18

Open harsh0620 opened 9 months ago

harsh0620 commented 9 months ago

Dear Maintainers,

I hope this message finds you well. I have identified a security concern related to the usage of raw SQL queries in two functions within the package. These queries are flagged as vulnerabilities during Dynamic Application Security Testing (DAST) scans in Android applications.

Affected Functions:

  1. Function: setVersion(int version)
  public void setVersion(int version) {
    execSQL("PRAGMA user_version = " + version);
}
  1. Function: setPageSize(long numBytes)
 public void setPageSize(long numBytes) {
    execSQL("PRAGMA page_size = " + numBytes);
}

Issue Description: The mentioned functions use raw SQL queries, which can potentially lead to SQL injection vulnerabilities. To enhance the security of the [Package Name] package, I recommend updating the code to utilize parameterized SQL queries instead.

Suggested Resolution: Refactor the code to use parameterized SQL queries in the affected functions to prevent SQL injection vulnerabilities. This will ensure the package does not pose a risk during DAST scans for Android applications.

Thank you for your attention to this matter. I appreciate your efforts in maintaining the security of the package.

Best Regards, Harsh Chandravanshi