Hi Rasika, Other prepare statements also gives the same error.
Thank You! On Sat, Jun 6, 2015 at 5:38 PM, Rasika Perera <rasi...@wso2.com> wrote: > Hi All, > > I also analyzed this problem. My best guess is that this is a limitation > or a bug in "sonar" plugin. Let me present my observations and hope you > might find this reply is useful to solve the issue. > > The code line 92 in [1] is; (However it is not a recommended to refer code > lines in Git since it is erroneous due to continuos code changes). > > prepStmt = connection.prepareStatement(SQLQuery.*CHECK_EXIST_USER_DATA*); > > > In the latter part *CHECK_EXIST_USER_DATA* is defined as a constant in > the inner class named as "SQLQuery" (refer below). > > public static final String CHECK_EXIST_USER_DATA = "SELECT " + "DATA_VALUE >> " >> + "FROM IDN_IDENTITY_USER_DATA " >> + "WHERE TENANT_ID = ? AND USER_NAME = ? AND DATA_KEY=?"; > > > Since above String concatenation is done at the compile time and no > dynamic input is involved, It is clear that this query is properly > structured for the Prepared Statement. Further should notice that, If you > use PreparedStatement, the implementation for that interface is provided by > the appropriate JDBC Driver, and that implementation is responsible for > escaping your input[2]. No extra effort is needed to santize the input on > your own. > > The error message you are getting is produced in SQLInjectionCheck.java > class on sonar-java plugin[3]. > > parameterName = ""; >> if (isDynamicString(methodTree, arg, null, true)) { >> String message = "\"" + parameterName + "\" is provided externally to the >> method and not sanitized before use."; >> if (isHibernateCall) { >> message = "Use Hibernate's parameter binding instead of concatenation."; >> } >> addIssue(methodTree, message); >> } > > > For some reason "isDynamicString()" is returning true but `parameterName` > is kept empty[4]. So I believe it could be a *limitation or a bug* in > *sonar-java* plugin. > > Are you getting same error for following lines as well ? If not that is > weird. > > prepStmt = connection.prepareStatement(SQLQuery.STORE_USER_DATA); > > > prepStmt = connection.prepareStatement(SQLQuery.UPDATE_USER_DATA); > > > prepStmt = connection.prepareStatement(SQLQuery.LOAD_USER_DATA); > > > prepStmt = connection.prepareStatement(SQLQuery.DELETE_USER_DATA); > > > > [1] > https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92 > > [2] http://stackoverflow.com/a/22311119/1560536 > > [3] > https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/SQLInjectionCheck.java > > [4] > https://github.com/SonarSource/sonar-java/blob/master/java-checks/src/main/java/org/sonar/java/checks/AbstractInjectionChecker.java > > > > On Thu, Jun 4, 2015 at 8:17 PM, Hasanthi Purnima Dissanayake < > hasan...@wso2.com> wrote: > >> Hi Chamila, >> >> Some programs accept untrusted data originated from invalid sources and >> then passes to different trusted domains. Most of the times the data is in >> the form of a string with some internal syntactic structure, which the >> subsystem must parse. Such data must be sanitized both because the >> subsystem may be unprepared to handle the malformed input and because >> unsanitized input may include an injection attack. >> >> As an example: >> >> The problem: >> >> The sqlString, mentioned below accepts unsanitized input arguments. So it >> may permits a sql injection attack >> >> public void accessPermission(String username,char[] password)throws >> SQLException { >> >> String sqlString = "SELECT * FROM db_user >> WHERE username = '" + username +"' AND password ='" + pwd + "'"; >> >> } >> >> >> The solution: >> >> public void accessPermission(String username, >> char[] password)throws SQLException{ >> >> String sqlString = "select * from db_user whereusername=? and password=?"; >> PreparedStatement stmt =connection.prepareStatement(sqlString); >> >> stmt.setString(1, username); >> stmt.setString(2, pwd); >> >> } >> >> This API can be used for building SQL commands that sanitize untrusted >> data >> >> Thanks >> and Reagards, >> >> >> >> >> >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: hasan...@wso2.com <nirosh...@wso2.com> >> M :0718407133| http://wso2.com <http://wso2.com/> >> >> On Thu, Jun 4, 2015 at 4:38 PM, Chamila Wijayarathna <cham...@wso2.com> >> wrote: >> >>> Hi Rajeevan, >>> >>> Value of CHECK_EXIST_USER_DATA is "SELECT " + "DATA_VALUE " + "FROM >>> IDN_IDENTITY_USER_DATA " + "WHERE TENANT_ID = ? AND USER_NAME = ? AND >>> DATA_KEY=?". >>> I tried "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID >>> = ? AND USER_NAME = ? AND DATA_KEY=?" and >>> "SELECT DATA_VALUE FROM IDN_IDENTITY_USER_DATA WHERE TENANT_ID=? AND >>> USER_NAME=? AND DATA_KEY=?" as well. But getting the same result still. >>> >>> Thanks. >>> >>> On Thu, Jun 4, 2015 at 4:05 PM, Rajeevan Vimalanathan < >>> rajeev...@wso2.com> wrote: >>> >>>> Hi Chamila, >>>> >>>> What is the value of SQLQuery.CHECK_EXIST_USER_DATA? Is this a >>>> constant? >>>> You can find a similar issue reported at [1]. >>>> >>>> [1] >>>> http://stackoverflow.com/questions/398179/findbugs-not-finding-potential-sql-injection-vulnerability >>>> >>>> Thanks, >>>> Rajeevan >>>> >>>> On Wed, Jun 3, 2015 at 9:57 AM, Chamila Wijayarathna <cham...@wso2.com> >>>> wrote: >>>> >>>>> Hello all, >>>>> >>>>> When profiling using Sonar, I'm getting error as in $subject >>>>> (squid:S2077) from [1]. What is the reason for this warning? how can I >>>>> solve this? >>>>> >>>>> 1. >>>>> https://github.com/wso2/carbon-identity/blob/master/components/identity-mgt/org.wso2.carbon.identity.mgt/src/main/java/org/wso2/carbon/identity/mgt/store/JDBCIdentityDataStore.java#L92 >>>>> >>>>> Thank You! >>>>> >>>>> -- >>>>> *Chamila Dilshan Wijayarathna,* >>>>> Software Engineer >>>>> Mobile:(+94)788193620 >>>>> WSO2 Inc., http://wso2.com/ >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Vimalanathan Rajeevan >>>> Software Engineer >>>> WSO2 Inc.:http://wso2.com >>>> lean.enterprise.middleware >>>> >>>> >>>> Mobile : +94 773090875 >>>> >>> >>> >>> >>> -- >>> *Chamila Dilshan Wijayarathna,* >>> Software Engineer >>> Mobile:(+94)788193620 >>> WSO2 Inc., http://wso2.com/ >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> _______________________________________________ >> Dev mailing list >> Dev@wso2.org >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > With Regards, > > *Rasika Perera* > Software Engineer > M: +94 71 680 9060 E: rasi...@wso2.com > LinkedIn: http://lk.linkedin.com/in/rasika90 > > WSO2 Inc. www.wso2.com > lean.enterprise.middleware > -- *Chamila Dilshan Wijayarathna,* Software Engineer Mobile:(+94)788193620 WSO2 Inc., http://wso2.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev