时间戳

首页 > 解决方案 > Checkmarx Postgres 查询形成错误 SQL Injection error , SQL Second order injection error Java Springboot

java - Checkmarx Postgres 查询形成错误 SQL Injection error , SQL Second order injection error Java Springboot

问题描述

我有一些执行数据库操作的 API。每当我将代码上传到 checkmarx 时,我都会收到以下错误,并将其标记为高漏洞错误有人可以帮助我吗?

错误

应用程序的 CreateDatabaseAndMapToDomain 方法在 daas-springboot-CheckMarxIntegration\src\main\java\com\it\daas\apis\service\PostgresConnectionServiceImpl.java 的第 717 行使用 executeQuery 执行 SQL 查询。应用程序通过将不受信任的字符串嵌入到查询中来构造此 SQL 查询,而无需进行适当的清理。连接的字符串被提交到数据库,在那里进行相应的解析和执行。

攻击者可能能够将任意数据写入数据库,然后应用程序在 daas-springboot-CheckMarxIntegration\src\main\java\com\it\daas\apis\service 的第 678 行的 getDomains 方法中使用 executeQuery 检索这些数据\PostgresConnectionServiceImpl.java。然后这些数据流经代码,直到直接在 SQL 查询中使用,无需净化,然后提交给数据库服务器执行

这是我的功能

    @Override
public String getDomains() throws SQLException {

    String domainquery = "SELECT id,domain FROM domain";
    Connection con = null;
    PreparedStatement st = null;
    ResultSet result = null;
    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);
        st = con.prepareStatement(domainquery);
        result = st.executeQuery();

        ArrayList<DatabaseDomainBean> list = new ArrayList<DatabaseDomainBean>();
        while (result.next()) {
            list.add(new DatabaseDomainBean(result.getString("domain"), result.getString("id")));
        }
        return new JSONObject().put("domainlist", list).toString();


    }
    catch(Exception e)
    {

        e.printStackTrace();
        return null;
    }
    finally{

        result.close();
        st.close();
        con.close();

    }


}

@Override
public String CreateDatabaseAndMapToDomain(String database, String[] domainIds, String password)
        throws SQLException {

    if (!this.apibuilderPassword.equals(password)) {
        return null;
    }
    else if(database==null || domainIds==null || password ==null)
    {
        return "Failure";
    }


    Connection con =null;
    PreparedStatement st =null;
    ResultSet ispresent =null;
    PreparedStatement mapquerystmnt =null;
    ResultSet resultMapping = null;

    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);

        for (int i = 0; i < domainIds.length; i++) {

            con.setSchema(this.schema);

            String IfExists = MessageFormat.format(
                    "SELECT databasename,domainid FROM Databases WHERE databasename IN (?) AND domainid IN (?)",
                    Utilitymethods.ConvertToMessageFormatCompatibleForm(database),
                    Utilitymethods.ConvertToMessageFormatCompatibleForm(domainIds[i]));

            st = con.prepareStatement(IfExists);
            st.setString(1, database);
            st.setInt(2, Integer.parseInt(domainIds[i]));
            ispresent = st.executeQuery();

            if (!ispresent.next()) {
                // INSERT INTO Databases (databasename,domainid) VALUES ('Teradata','1')
                String mapquery = MessageFormat.format(
                        "INSERT INTO Databases (databasename,domainid) VALUES (?,?) returning Id",
                        Utilitymethods.ConvertToMessageFormatCompatibleForm(database),
                        Utilitymethods.ConvertToMessageFormatCompatibleForm(domainIds[i]));
                 mapquerystmnt = con.prepareStatement(mapquery);
                 mapquerystmnt.setString(1, database);
                 mapquerystmnt.setInt(2, Integer.parseInt(domainIds[i]));
                 resultMapping =  mapquerystmnt.executeQuery();
            }

        }

        return "Success";

    }
    catch(Exception e)
    {
        e.printStackTrace();
        return "Failure";

    }
    finally
    {

        ispresent.close();
        st.close();
        resultMapping.close();
        mapquerystmnt.close();
        con.close();
    }





}


@Override
public String getDomains() throws SQLException {

    String domainquery = "SELECT id,domain FROM domain";
    Connection con = null;
    PreparedStatement st = null;
    ResultSet result = null;
    try
    {
        con = ConnectToPostgresapibuilderDatabase(apibuilderConnectionString, apibuilderUserName,apibuilderPassword);
        con.setSchema(this.schema);
        st = con.prepareStatement(domainquery);
        result = st.executeQuery();

        ArrayList<DatabaseDomainBean> list = new ArrayList<DatabaseDomainBean>();
        while (result.next()) {
            list.add(new DatabaseDomainBean(result.getString("domain"), result.getString("id")));
        }
        return new JSONObject().put("domainlist", list).toString();


    }
    catch(Exception e)
    {

        e.printStackTrace();
        return null;
    }
    finally{

        result.close();
        st.close();
        con.close();

    }


}

标签: javapostgresqlspring-bootprepared-statementcheckmarx

解决方案

直接试试st = con.prepareStatement("SELECT id,domain FROM domain")String domainquery = "SELECT id,domain FROM domain"由于语句和 sql 注入的可能性,checkmarx 看起来很混乱。

推荐阅读