I am getting the Change this code to not construct SQL queries directly from user-controlled data issue for files , where the query is formed by appending some constants based on if condition.
Any suggestions on how to resolve the sonar issue.?
Sonar Version 9.9.1
This message happens when you directly add data from a request to the querybuild: For example: Get Parameters, our Route Parameters, or Post Parameters, you name it.
If you concatenate data coming from a Request to the query builder, this is vulnerable to SQL injections.
Instead, you need to do a prepared statement: Instead of concatenating the data, you add a ? string, and then use the function Number 2 here (Not number 1, the one you are currently using, it is unsafe):
Starting from the 3RD argument: You add the initial object(s). So you need to make sure the object(s) is/are passed to the findData function. The point is: Do not concatenate request data into SQL queries, use “prepared statements” instead.
Update: On further analysis , found that there are a series of issues shown in SonarQube , starting with ‘Source: a user can craft an HTTP request with malicious content’ for RequestBody where i am accepting Filter dto object . is there any way to resolve this while getting the request from api since the code has multiple append stmts based on if conditions.
Please click on the numbers and take a screenshots of the code next to it. When you click on a number, it goes to the code and I need to see all numbers
Also I need to see all the numbers, normally there’s “SINK” written in the last one, like that:
I also need to understand the code of InboundLtService.java
Basically, to really understand, I need to understand your code, to know where the problem is
Hi @neha_menezes, I expected to see the line where there’s a queryBuilder.append with a filterCriteria attribute, so we need to dig further and look at appendFilterCriteria or appendStringEqualFilterCriteria.
To avoid too many screenshots and taking too long here is what I suggest:
Follow the queryBuilder variable everytime it goes in a function with filterCriteria. And then, everytime there is
queryBuilder.append(filterCriteria.A);, queryBuilder.append(filterCriteria.B);, queryBuilder.append(filterCriteria.C);, etc.