Objectives
The
primary
objective of
DynSqlSelectStmts
is
to identify and report dynamically built SQL statements embedded in
Java code.
For each instance of dynamic SQL, the class identifies and reports
any concatenated expressions, such as variables and method calls that
return data. Then the rule traces each expression to determine
whether they are linked to sources of user-controllable input.
Ultimately, the rule generates a list of PMD security violations that
serve as a test plan for manually verifying SQL Injection
vulnerabilities.
For the purposes of this rule, method arguments/parameters in the source are considered user-controllable input. Therefore, data tracing from identified symptom code to sources of user-controllable input is limited to the scope of a single method.
Consider the simple doGet
method in Example 6-1.
Based on the outlined objectives, the class should accomplish the
following, in the order shown:
Identify and report the dynamic SQL statement.
Identify the concatenated variable
id
, and trace it back to therequest
object (i.e., user-controllable input).Halt the trace upon reaching the
request
object and report the finding.
Tip
The request
object is a source of
user-controllable input and therefore
warrants close manual inspection, especially if it’s
related to a security violation PMD has reported. In the big picture
of code review, do not forget to investigate the
response
object for potential security vulnerabilities.
Example 6-1. Simplified doGet method ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.