Objectives

The primary objective of DynSqlSelectStmts is to identify and report dynamically built SQL statements embedded in Java code. For each instance of dynamic SQL, the class identifies and reports any concatenated expressions, such as variables and method calls that return data. Then the rule traces each expression to determine whether they are linked to sources of user-controllable input. Ultimately, the rule generates a list of PMD security violations that serve as a test plan for manually verifying SQL Injection vulnerabilities.

For the purposes of this rule, method arguments/parameters in the source are considered user-controllable input. Therefore, data tracing from identified symptom code to sources of user-controllable input is limited to the scope of a single method.

Consider the simple doGet method in Example 6-1. Based on the outlined objectives, the class should accomplish the following, in the order shown:

  1. Identify and report the dynamic SQL statement.

  2. Identify the concatenated variable id, and trace it back to the request object (i.e., user-controllable input).

  3. Halt the trace upon reaching the request object and report the finding.

Tip

The request object is a source of user-controllable input and therefore warrants close manual inspection, especially if it’s related to a security violation PMD has reported. In the big picture of code review, do not forget to investigate the response object for potential security vulnerabilities.

Example 6-1. Simplified doGet method ...

Get Network Security Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial