Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Code Security Finding: SQL Injection (CWE-89, High Severity) in SQLInjectionServlet.java:69 #26

Open
2 tasks
joshn-whitesource-app bot opened this issue Feb 15, 2024 · 0 comments
Open
2 tasks

Code Security Finding: SQL Injection (CWE-89, High Severity) in SQLInjectionServlet.java:69 #26

joshn-whitesource-app bot opened this issue Feb 15, 2024 · 0 comments
Labels
Mend: code security findings Code security findings detected by Mend

Comments

@joshn-whitesource-app
Copy link
Contributor

Code Security Finding

This finding was first detected on 2024-02-15 10:29pm GMT and is still present in the last scan performed on 2024-02-15 10:28pm GMT:

SeverityVulnerability TypeCWEFileData Flows
HighSQL Injection

CWE-89

SQLInjectionServlet.java:69

1
Vulnerable Code

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Lines 64 to 69 in fe0933f

ResultSet rs = null;
String result = getErrMsg("msg.error.user.not.exist", req.getLocale());
try {
conn = DBClient.getConnection();
stmt = conn.createStatement();
rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

1 Data Flow/s detected

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 28 in fe0933f

String password = StringUtils.trim(req.getParameter("password"));

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 28 in fe0933f

String password = StringUtils.trim(req.getParameter("password"));

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 28 in fe0933f

String password = StringUtils.trim(req.getParameter("password"));

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 45 in fe0933f

bodyHtml.append(selectUsers(name, password, req));

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 60 in fe0933f

private String selectUsers(String name, String password, HttpServletRequest req) {

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 69 in fe0933f

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

easybuggy3/src/main/java/org/t246osslab/easybuggy/vulnerabilities/SQLInjectionServlet.java

Line 69 in fe0933f

rs = stmt.executeQuery("SELECT name, secret FROM users WHERE ispublic = 'true' AND name='" + name

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior SQL Injection Training

● Videos

   ▪ Secure Code Warrior SQL Injection Video

● Further Reading

   ▪ OWASP SQL Injection Prevention Cheat Sheet

   ▪ OWASP SQL Injection

   ▪ OWASP Query Parameterization Cheat Sheet

🏴 Suppress Finding
  • ... as False Alarm
  • ... as Acceptable Risk
@joshn-whitesource-app joshn-whitesource-app bot added the Mend: code security findings Code security findings detected by Mend label Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: code security findings Code security findings detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants