1

I am using FindBug along with the plugin Find Security Bugs to help me find security flaws in my code. I am not sure why some code is flagged as vulnerable to SQL injection.

Here are two examples:

final StringBuilder queryString = new StringBuilder("SELECT users.login FROM Users users, Table table WHERE users.idUser = table.users.idUser");
Query query = session.createQuery(queryString.toString()); // This line is flagged


StringBuilder queryString = new StringBuilder("SELECT data FROM Table ");
queryString.append("WHERE table.idEntreprise = :id");
Query query = session.createQuery(queryString.toString()).setInteger("id", id); // This line is flagged

Is it a false positive or I missed something? If I understand the matter correctly, using createQuery() and setX() should be enough?

h3xStream
  • 6,293
  • 2
  • 47
  • 57
Flanfl
  • 516
  • 8
  • 29
  • I suppose, in theory, since its a `StringBuilder` and not a String constant someone could potentially change the SQL String, but that seems very unlikely. – Zutty Apr 26 '13 at 09:37
  • Is it even necessary to make it StringBuilder? From the short example here, I can't see any point in making the string mutable. – nhahtdh Apr 26 '13 at 09:40
  • @Zutty yes it would seems quite difficult to do. – Flanfl Apr 26 '13 at 12:41

1 Answers1

1

This is a false positive. Named query parameters are escaped by Hibernate, so no SQL injection can be performed.

Even the first query without named parameters is safe since it does not use external input for the users.idUser parameter.

kostja
  • 60,521
  • 48
  • 179
  • 224