Hi Rasika,
Other prepare statements also gives the same error.
Thank You!
On Sat, Jun 6, 2015 at 5:38 PM, Rasika Perera <rasi...@wso2.com> wrote:
> Hi All,
>
> I also analyzed this problem. My best guess is that this is a limitation
> or a bug in "sonar" plugin. Let me present my observations and hope you
> might find this reply is useful to solve the issue.
>
> The code line 92 in [1] is; (However it is not a recommended to refer code
> lines in Git since it is erroneous due to continuos code changes).
>
> prepStmt = connection.prepareStatement(SQLQuery.*CHECK_EXIST_USER_DATA*);
>
>
> In the latter part *CHECK_EXIST_USER_DATA* is defined as a constant in
> the inner class named as "SQLQuery" (refer below).
>
> public static final String CHECK_EXIST_USER_DATA = "SELECT " + "DATA_VALUE
>> "
>> + "FROM IDN_IDENTITY_USER_DATA "
>> + "WHERE TENANT_ID = ? AND USER_NAME = ? AND DATA_KEY=?";
>
>
> Since above String concatenation is done at the compile time and no
> dynamic input is involved, It is clear that this query is properly
> structured for the Prepared Statement. Further should notice that, If you
> use PreparedStatement, the implementation for that interface is provided by
> the appropriate JDBC Driver, and that implementation is responsible for
> escaping your input[2]. No extra effort is needed to santize the input on
> your own.
>
> The error message you are getting is produced in SQLInjectionCheck.java
> class on sonar-java plugin[3].
>
> parameterName = "";
>> if (isDynamicString(methodTree, arg, null, true)) {
>> String message = "\"" + parameterName + "\" is provided externally to the
>> method and not sanitized before use.";
>> if (isHibernateCall) {
>> message = "Use Hibernate's parameter binding instead of concatenation.";
>> }
>> addIssue(methodTree, message);
>> }
>
>
> For some reason "isDynamicString()" is returning true but `parameterName`
> is kept empty[4]. So I believe it could be a *limitation or a bug* in
> *sonar-java* plugin.
>
> Are you getting same error for following lines as well ? If not that is
> weird.
>
> prepStmt = connection.prepareStatement(SQLQuery.STORE_USER_DATA);
>
>
> prepStmt = connection.prepareStatement(SQLQuery.UPDATE_USER_DATA);
>
>
> prepStmt = connection.prepareStatement(SQLQuery.LOAD_USER_DATA);
>
>
> prepStmt = connection.prepareStatement(SQLQuery.DELETE_USER_DATA);
>
>
>
> [1]
> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92
>
> [2] http://stackoverflow.com/a/22311119/1560536
>
> [3]
> https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java
>
> [4]
> https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/AbstractInjectionChecker.java
>
>
>
> On Thu, Jun 4, 2015 at 8:17 PM, Hasanthi Purnima Dissanayake <
> hasan...@wso2.com> wrote:
>
>> Hi Chamila,
>>
>> Some programs accept untrusted data originated from invalid sources and
>> then passes to different trusted domains. Most of the times the data is in
>> the form of a string with some internal syntactic structure, which the
>> subsystem must parse. Such data must be sanitized both because the
>> subsystem may be unprepared to handle the malformed input and because
>> unsanitized input may include an injection attack.
>>
>> As an example:
>>
>> The problem:
>>
>> The sqlString, mentioned below accepts unsanitized input arguments. So it
>> may permits a sql injection attack
>>
>> public void accessPermission(String username,char[] password)throws
>> SQLException {
>>
>> String sqlString = "SELECT * FROM db_user
>> WHERE username = '" + username +"' AND password ='" + pwd + "'";
>>
>> }
>>
>>
>> The solution:
>>
>> public void accessPermission(String username,
>> char[] password)throws SQLException{
>>
>> String sqlString = "select * from db_user whereusername=? and password=?";
>> PreparedStatement stmt =connection.prepareStatement(sqlString);
>>
>> stmt.setString(1, username);
>> stmt.setString(2, pwd);
>>
>> }
>>
>> This API can be used for building SQL commands that sanitize untrusted
>> data
>>
>> Thanks
>> and Reagards,
>>
>>
>>
>>
>>
>>
>> Hasanthi Dissanayake
>>
>> Software Engineer | WSO2
>>
>> E: hasan...@wso2.com <nirosh...@wso2.com>
>> M :0718407133| http://wso2.com <http://wso2.com/>
>>
>> On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna <cham...@wso2.com>
>> wrote:
>>
>>> Hi Rajeevan,
>>>
>>> Value of CHECK_EXIST_USER_DATA is "SELECT " + "DATA_VALUE " + "FROM
>>> IDN_IDENTITY_USER_DATA " + "WHERE TENANT_ID = ? AND USER_NAME = ? AND
>>> DATA_KEY=?".
>>> I tried "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID
>>> = ? AND USER_NAME = ? AND DATA_KEY=?" and
>>> "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND
>>> USER_NAME=? AND DATA_KEY=?" as well. But getting the same result still.
>>>
>>> Thanks.
>>>
>>> On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan <
>>> rajeev...@wso2.com> wrote:
>>>
>>>> Hi Chamila,
>>>>
>>>> What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a
>>>> constant?
>>>> You can find a similar issue reported at [1].
>>>>
>>>> [1]
>>>> http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability
>>>>
>>>> Thanks,
>>>> Rajeevan
>>>>
>>>> On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna <cham...@wso2.com>
>>>> wrote:
>>>>
>>>>> Hello all,
>>>>>
>>>>> When profiling using Sonar, I'm getting error as in $subject
>>>>> (squid:S2077) from [1]. What is the reason for this warning? how can I
>>>>> solve this?
>>>>>
>>>>> 1.
>>>>> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92
>>>>>
>>>>> Thank You!
>>>>>
>>>>> --
>>>>> *Chamila Dilshan Wijayarathna,*
>>>>> Software Engineer
>>>>> Mobile:(+94)788193620
>>>>> WSO2 Inc., http://wso2.com/
>>>>>
>>>>> _______________________________________________
>>>>> Dev mailing list
>>>>> Dev@wso2.org
>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> Vimalanathan Rajeevan
>>>> Software Engineer
>>>> WSO2 Inc.:http://wso2.com
>>>> lean.enterprise.middleware
>>>>
>>>>
>>>> Mobile : +94 773090875
>>>>
>>>
>>>
>>>
>>> --
>>> *Chamila Dilshan Wijayarathna,*
>>> Software Engineer
>>> Mobile:(+94)788193620
>>> WSO2 Inc., http://wso2.com/
>>>
>>> _______________________________________________
>>> Dev mailing list
>>> Dev@wso2.org
>>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>>
>>>
>>
>> _______________________________________________
>> Dev mailing list
>> Dev@wso2.org
>> http://wso2.org/cgi-bin/mailman/listinfo/dev
>>
>>
>
>
> --
> With Regards,
>
> *Rasika Perera*
> Software Engineer
> M: +94 71 680 9060 E: rasi...@wso2.com
> LinkedIn: http://lk.linkedin.com/in/rasika90
>
> WSO2 Inc. www.wso2.com
> lean.enterprise.middleware
>
--
*Chamila Dilshan Wijayarathna,*
Software Engineer
Mobile:(+94)788193620
WSO2 Inc., http://wso2.com/
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
