Hi All,
I also analyzed this problem. My best guess is that this is a limitation or
a bug in "sonar" plugin. Let me present my observations and hope you might
find this reply is useful to solve the issue.
The code line 92 in [1] is; (However it is not a recommended to refer code
lines in Git since it is erroneous due to continuos code changes).
prepStmt = connection.prepareStatement(SQLQuery.*CHECK_EXIST_USER_DATA*);
In the latter part *CHECK_EXIST_USER_DATA* is defined as a constant in the
inner class named as "SQLQuery" (refer below).
public static final String CHECK_EXIST_USER_DATA = "SELECT " + "DATA_VALUE "
> + "FROM IDN_IDENTITY_USER_DATA "
> + "WHERE TENANT_ID = ? AND USER_NAME = ? AND DATA_KEY=?";
Since above String concatenation is done at the compile time and no dynamic
input is involved, It is clear that this query is properly structured for
the Prepared Statement. Further should notice that, If you use
PreparedStatement, the implementation for that interface is provided by the
appropriate JDBC Driver, and that implementation is responsible for
escaping your input[2]. No extra effort is needed to santize the input on
your own.
The error message you are getting is produced in SQLInjectionCheck.java
class on sonar-java plugin[3].
parameterName = "";
> if (isDynamicString(methodTree, arg, null, true)) {
> String message = "\"" + parameterName + "\" is provided externally to the
> method and not sanitized before use.";
> if (isHibernateCall) {
> message = "Use Hibernate's parameter binding instead of concatenation.";
> }
> addIssue(methodTree, message);
> }
For some reason "isDynamicString()" is returning true but `parameterName`
is kept empty[4]. So I believe it could be a *limitation or a bug* in
*sonar-java* plugin.
Are you getting same error for following lines as well ? If not that is
weird.
prepStmt = connection.prepareStatement(SQLQuery.STORE_USER_DATA);
prepStmt = connection.prepareStatement(SQLQuery.UPDATE_USER_DATA);
prepStmt = connection.prepareStatement(SQLQuery.LOAD_USER_DATA);
prepStmt = connection.prepareStatement(SQLQuery.DELETE_USER_DATA);
[1]
https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92
[2] http://stackoverflow.com/a/22311119/1560536
[3]
https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java
[4]
https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/AbstractInjectionChecker.java
On Thu, Jun 4, 2015 at 8:17 PM, Hasanthi Purnima Dissanayake <
[email protected]> wrote:
> Hi Chamila,
>
> Some programs accept untrusted data originated from invalid sources and
> then passes to different trusted domains. Most of the times the data is in
> the form of a string with some internal syntactic structure, which the
> subsystem must parse. Such data must be sanitized both because the
> subsystem may be unprepared to handle the malformed input and because
> unsanitized input may include an injection attack.
>
> As an example:
>
> The problem:
>
> The sqlString, mentioned below accepts unsanitized input arguments. So it
> may permits a sql injection attack
>
> public void accessPermission(String username,char[] password)throws
> SQLException {
>
> String sqlString = "SELECT * FROM db_user
> WHERE username = '" + username +"' AND password ='" + pwd + "'";
>
> }
>
>
> The solution:
>
> public void accessPermission(String username,
> char[] password)throws SQLException{
>
> String sqlString = "select * from db_user whereusername=? and password=?";
> PreparedStatement stmt =connection.prepareStatement(sqlString);
>
> stmt.setString(1, username);
> stmt.setString(2, pwd);
>
> }
>
> This API can be used for building SQL commands that sanitize untrusted
> data
>
> Thanks
> and Reagards,
>
>
>
>
>
>
> Hasanthi Dissanayake
>
> Software Engineer | WSO2
>
> E: [email protected] <[email protected]>
> M :0718407133| http://wso2.com <http://wso2.com/>
>
> On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna <[email protected]>
> wrote:
>
>> Hi Rajeevan,
>>
>> Value of CHECK_EXIST_USER_DATA is "SELECT " + "DATA_VALUE " + "FROM
>> IDN_IDENTITY_USER_DATA " + "WHERE TENANT_ID = ? AND USER_NAME = ? AND
>> DATA_KEY=?".
>> I tried "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID =
>> ? AND USER_NAME = ? AND DATA_KEY=?" and
>> "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND
>> USER_NAME=? AND DATA_KEY=?" as well. But getting the same result still.
>>
>> Thanks.
>>
>> On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan <[email protected]
>> > wrote:
>>
>>> Hi Chamila,
>>>
>>> What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a constant?
>>> You can find a similar issue reported at [1].
>>>
>>> [1]
>>> http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability
>>>
>>> Thanks,
>>> Rajeevan
>>>
>>> On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna <[email protected]>
>>> wrote:
>>>
>>>> Hello all,
>>>>
>>>> When profiling using Sonar, I'm getting error as in $subject
>>>> (squid:S2077) from [1]. What is the reason for this warning? how can I
>>>> solve this?
>>>>
>>>> 1.
>>>> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92
>>>>
>>>> Thank You!
>>>>
>>>> --
>>>> *Chamila Dilshan Wijayarathna,*
>>>> Software Engineer
>>>> Mobile:(+94)788193620
>>>> WSO2 Inc., http://wso2.com/
>>>>
>>>> _______________________________________________
>>>> Dev mailing list
>>>> [email protected]
>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> Vimalanathan Rajeevan
>>> Software Engineer
>>> WSO2 Inc.:http://wso2.com
>>> lean.enterprise.middleware
>>>
>>>
>>> Mobile : +94 773090875
>>>
>>
>>
>>
>> --
>> *Chamila Dilshan Wijayarathna,*
>> Software Engineer
>> Mobile:(+94)788193620
>> WSO2 Inc., http://wso2.com/
>>
>> _______________________________________________
>> Dev mailing list
>> [email protected]
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
> _______________________________________________
> Dev mailing list
> [email protected]
> http://wso2.org/cgi-bin/mailman/listinfo/dev
>
>
--
With Regards,
*Rasika Perera*
Software Engineer
M: +94 71 680 9060 E: [email protected]
LinkedIn: http://lk.linkedin.com/in/rasika90
WSO2 Inc. www.wso2.com
lean.enterprise.middleware
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
