SQL injection - Java Persistence API
Description
Dynamic SQL statements are generated without the required data validation and without using parameterized statements or stored procedures. When using LIKE-conditions with values that are coming from a not secure source in the Java Persistence API, the values should be sanitized so they can't contain any wildcards and thereby allow attackers to select more data than they should be able to. For this purpose the escape(String) method is available.
Impact
Extract sensitive information from the Database.
Recommendation
Perform queries to the database through sentences or parameterized procedures. Alternatively use escape(String) built-in function.
Threat
Authenticated attacker from the Internet.
Expected Remediation Time
⌚ 10 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: L
- User interaction: N
- Scope: U
- Confidentiality: H
- Integrity: N
- Availability: N
Temporal
- Exploit code maturity: P
- Remediation level: X
- Report confidence: R
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:X/RC:R
- Score:
- Base: 6.5
- Temporal: 5.9
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: L
- User interaction: N
- Confidentiality (VC): H
- Integrity (VI): N
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 5.7
- Severity:
- CVSS-BT: Medium
Compliant code
The query statements are performed in a parameterized way, validating input data with at least a escape() call
import org.skife.jdbi.v2.sqlobject.SqlQuery;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import java.util.List;
public interface ParametersJpaRepository extends JpaRepository {
/* Secure */
@Query("select u from User u where u.firstname like %?#{escape([0])}% escape ?#{escapeCharacter()}")
List findContainingEscaped(String namePart);
}
Non compliant code
The application performs a query statement without validating input data
import org.skife.jdbi.v2.sqlobject.SqlQuery;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
import java.util.List;
public interface ParametersJpaRepository extends JpaRepository {
// Unsafe LIKE statement injection
@SqlQuery("select u from User u where u.lastname like %:#{[0]}%")
List findByLastnameWithSpelExpression(@Param("lastname") String lastname);
}
Requirements
Fixes
