Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SQL injection false positive at Spring Data's @Query #959

Closed
jonybuzz opened this issue Jan 27, 2022 · 3 comments · Fixed by #972
Closed

SQL injection false positive at Spring Data's @Query #959

jonybuzz opened this issue Jan 27, 2022 · 3 comments · Fixed by #972
Labels
kind/bug Something isn't working kind/false-positive This issue is related with false positive kind/more-info-needed This issue need more details to continue project/horusec-cli This issue is related to the project https://github.com/ZupIT/horusec

Comments

@jonybuzz
Copy link

What happened:
Horusec cli warns about not binded query parameters but Spring Data takes care of that. The json result of the validation:

    {
      "vulnerabilityID": "00000000-0000-0000-0000-000000000000",
      "analysisID": "759fa0d2-badc-41d9-9471-9bd782f0223d",
      "createdAt": "2022-01-27T20:54:59.369684163Z",
      "vulnerabilities": {
        "vulnerabilityID": "11534d2f-ba37-4492-8db3-f792a91f5683",
        "line": "12",
        "column": "12",
        "confidence": "LOW",
        "file": "src/main/java/com/example/MyEntityRepository.java",
        "code": "@Query(\"select u.field from MyEntity u \" +",
        "details": "SQL Injection\nThe input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.",
        "securityTool": "HorusecEngine",
        "language": "Java",
        "severity": "HIGH",
        "type": "Vulnerability",
        "commitAuthor": "-",
        "commitEmail": "-",
        "commitHash": "-",
        "commitMessage": "-",
        "commitDate": "-",
        "vulnHash": "fd7a11f3fe70fb437adc7e72b030ef4be4d252bf795d6752944f26a865f60a5f"
      }
    }

What you expected to happen:
Do not trigger vulnerability detected

How to reproduce it (as minimally and precisely as possible):
Implement a basic Spring Data Repository with a method anotated with JPQL Query

import com.example.MyEntity;
import org.springframework.data.jpa.repository.Query;
import org.springframework.data.repository.CrudRepository;
import org.springframework.data.repository.query.Param;

public interface MyEntityRepository extends CrudRepository<MyEntity, String> {
    @Query("select e from MyEntity e where e.otherField = :value")
    public MyEntity getByValue(@Param("value") String value);
}

Environment:

  • Horusec version: v2.6.4
  • Network plugin / Tool and version (if this is a network-related / tool bug): Docker image horuszup/horusec-cli:v2.6.9
@jonybuzz jonybuzz added the kind/bug Something isn't working label Jan 27, 2022
@nathanmartinszup
Copy link
Contributor

Hi, @jonybuzz.

We gonna take a look on this, reporting theses false positives is really important to help us improve our analysis.

I recomend you to updated the cli to the latest version 2.6.9, we are constantly releasing a lot of improvements and corrections, so watch out to keep it updated.

Anyway, thanks for the feedback!

@nathanmartinszup nathanmartinszup added kind/false-positive This issue is related with false positive project/horusec-cli This issue is related to the project https://github.com/ZupIT/horusec labels Jan 28, 2022
@nathanmartinszup
Copy link
Contributor

Hi @jonybuzz.

I performed a test with the new version v2.7.1 and the example code provided did not show any vulnerability. After the update, does the problem persist?

@nathanmartinszup nathanmartinszup added the kind/more-info-needed This issue need more details to continue label Feb 15, 2022
@iancardosozup iancardosozup linked a pull request Feb 16, 2022 that will close this issue
engine/leaks:bugfix - improving leaks rule 26 #972
Merged
@nathanmartinszup
Copy link
Contributor

I will be closing this issue, any problems feel free to open it again.

Thanks for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working kind/false-positive This issue is related with false positive kind/more-info-needed This issue need more details to continue project/horusec-cli This issue is related to the project https://github.com/ZupIT/horusec
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

engine/leaks:bugfix - improving leaks rule 26 ZupIT/horusec
2 participants
@jonybuzz @nathanmartinszup