Inspectopedia
 
2024.3

Non-safe string is used as SQL

Warning
Security
New
CWE-89
CWE Top 25
CWE-564
Last modified: 03 December 2024

Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL, JPA QL, Hibernate QL and PostgreSQL

A safe object is:

  • a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object

  • a result of a call of a method, whose receiver and arguments are safe

  • a private field in the same file, which is assigned only with a string literal and has a safe initializer

  • a final field in the same file, which has a safe initializer

  • a local variable which is assigned from safe-objects

This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable. Static final fields are considered as safe.

The analysis is performed only inside one file. Example:

New in 2023.2