This rule detects potential SQL injections. SQL Injection is a common application layer attack technique used by hackers to steal or manipulate data from the database. It occurs when an application includes untrusted data in a SQL command that is part of a query.
SQL injection can lead to serious data breaches, unauthorized access, data corruption, and in some cases, even complete system takeover. It is crucial to ensure your code is immune to such vulnerabilities.
Adhering to good coding practices can help avoid SQL injection. Always use parameterized queries or prepared statements instead of concatenating user input into SQL commands. For instance, use PreparedStatement with placeholders (?) in Java to ensure user input is appropriately sanitized before it is included in a SQL command. Avoid exposing detailed error messages that might reveal underlying database structure. Regularly update and patch your systems, and consider using a web application firewall for an additional layer of security.
Non-Compliant Code Examples
importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.sql.DriverManager;publicclassNonCompliant{publicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse){Stringparam="<default>";java.util.Enumeration<String>headers=request.getHeaders("X-Some-Header");if(headers!=null&&headers.hasMoreElements()){param=headers.nextElement();}param=java.net.URLDecoder.decode(param,"UTF-8");Stringsql="INSERT INTO users (username, password) VALUES ('foo','"+param+"')";java.sql.Connectionconnection=DriverManager.getConnection("<url>","<user>","<password>");java.sql.Statementstatement=connection.createStatement();statement.executeUpdate(sql);connection.close();}}importorg.springframework.web.bind.annotation.PostMapping;importorg.springframework.web.bind.annotation.RequestHeader;importorg.springframework.web.bind.annotation.RestController;@RestControllerpublicclassNonCompliant2{@PostMapping("/")publicvoidhandlePost(@RequestHeader("X-Some-Header")StringheaderValue){Stringsql="INSERT INTO users (username, password) VALUES ('foo','"+headerValue+"')";java.sql.Connectionconnection=DriverManager.getConnection("<url>","<user>","<password>");java.sql.Statementstatement=connection.createStatement();statement.executeUpdate(sql);}}
Compliant Code Examples
importjavax.servlet.http.HttpServletRequest;importjavax.servlet.http.HttpServletResponse;importjava.sql.DriverManager;publicclassCompliant{publicvoiddoPost(HttpServletRequestrequest,HttpServletResponseresponse){Stringparam="<default>";java.util.Enumeration<String>headers=request.getHeaders("X-Some-Header");if(headers!=null&&headers.hasMoreElements()){param=headers.nextElement();}param=java.net.URLDecoder.decode(param,"UTF-8");Stringsql="INSERT INTO users (username, password) VALUES ('foo', ?)";java.sql.Connectionconnection=DriverManager.getConnection("<url>","<user>","<password>");java.sql.PreparedStatementstatement=connection.prepareStatement(sql);statement.setString(1,param);statement.executeUpdate();connection.close();}}
シームレスな統合。 Datadog Code Security をお試しください
Datadog Code Security
このルールを試し、Datadog Code Security でコードを解析する
このルールの使用方法
1
2
rulesets:- java-security # Rules to enforce Java security.