Non-safe string is used as SQL
Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL
, JPA QL
, Hibernate QL
and PostgreSQL
A safe object is:
a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object
a result of a call of a method, whose receiver and arguments are safe
a private field in the same file, which is assigned only with a string literal and has a safe initializer
a final field in the same file, which has a safe initializer
a local variable which is assigned from safe-objects
This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable. Static final fields are considered as safe.
The analysis is performed only inside one file. Example:
public void save(String sql) {
JdbcTemplate jdbcTemplate = new JdbcTemplate();
jdbcTemplate.queryForList(sql);
}
- By ID
Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.
SqlSourceToSinkFlow
New in 2023.2
Here you can find the description of settings available for the Non-safe string is used as SQL inspection, and the reference of their default values.
Inspection Details | |
---|---|
By default bundled with: | |
Can be installed with plugin: | Persistence Frameworks, 243.23126 |
Thanks for your feedback!