SQL排序方向的注入风险?
SQL injection risk on sort direction?
我正在生成如下所示的动态 prepareStatement(字段可能会根据请求输入而改变)。 Veracode 扫描继续报告 SQL 注入风险 - CWE-89:SQL 命令('SQL Injection')中使用的特殊元素的不当中和。
Select id from table where (USER_KEY=?) AND (TIMESTAMP between ? and ?) AND (APPLICATION_ID = ? OR APPLICATION_ID = ? )
AND (TITLE = ? ) order by "sortField" "sortDirection" limit "searchlimit"
因为从 "order by" 开始的所有内容都不能通过问号 (?) 进行参数化。在连接到 prepareStatment 之前,我按照现有文章清理了以 "order by" 开头的字符串。
。排序字段和限制检查逻辑很好,但排序方向检查仍然会触发 SQL 注入风险警报。
StringBuilder whereBuilder = new StringBuilder();
...
if(!Utility.checkAllowedSortColumn(Utility.getSQLField(sortField))) {
throw new ServiceException("Invalid Request: bad SQL sort field resulted from - "+sortField);
}else {
whereBuilder.append(" order by ");
whereBuilder.append(Utility.getSQLField(sortField));
whereBuilder.append(" ");
}
/*
if(sortDirection.equalsIgnoreCase("DESC") || sortDirection.equalsIgnoreCase("ASC")){
whereBuilder.append(sortDirection);
}else {
throw new ServiceException("Invalid Request: bad sort direction - "+sortDirection);
}*/
if(Integer.parseInt(searchLimit) < 1){
throw new ServiceException("Invalid Request: query result limit must be greater than zero");
}
else {
whereBuilder.append(" limit ");
whereBuilder.append(searchLimit);
}
return whereBuilder.toString();
如果我像上面那样注释掉sortDirection检查逻辑,Veracode扫描通过了preparedStatement(当然,它采用DB默认ASC)。但是,我希望基于用户输入的 DESC 或 ASC 的 sortDirection。在没有 SQL 注入风险的情况下添加带有检查逻辑的排序方向的任何建议?
您的评论块不应给您的查询带来任何风险。看起来这个 Veracode 工具不够智能,无法将其标记为安全。你能像下面这样重组你的代码来欺骗它吗?
if(sortDirection.equalsIgnoreCase("DESC")) {
whereBuilder.append("DESC");
} else if (sortDirection.equalsIgnoreCase("ASC")) {
whereBuilder.append("ASC");
} else {
throw new ServiceException("Invalid Request: bad sort direction - "+sortDirection);
}
我正在生成如下所示的动态 prepareStatement(字段可能会根据请求输入而改变)。 Veracode 扫描继续报告 SQL 注入风险 - CWE-89:SQL 命令('SQL Injection')中使用的特殊元素的不当中和。
Select id from table where (USER_KEY=?) AND (TIMESTAMP between ? and ?) AND (APPLICATION_ID = ? OR APPLICATION_ID = ? )
AND (TITLE = ? ) order by "sortField" "sortDirection" limit "searchlimit"
因为从 "order by" 开始的所有内容都不能通过问号 (?) 进行参数化。在连接到 prepareStatment 之前,我按照现有文章清理了以 "order by" 开头的字符串。
StringBuilder whereBuilder = new StringBuilder();
...
if(!Utility.checkAllowedSortColumn(Utility.getSQLField(sortField))) {
throw new ServiceException("Invalid Request: bad SQL sort field resulted from - "+sortField);
}else {
whereBuilder.append(" order by ");
whereBuilder.append(Utility.getSQLField(sortField));
whereBuilder.append(" ");
}
/*
if(sortDirection.equalsIgnoreCase("DESC") || sortDirection.equalsIgnoreCase("ASC")){
whereBuilder.append(sortDirection);
}else {
throw new ServiceException("Invalid Request: bad sort direction - "+sortDirection);
}*/
if(Integer.parseInt(searchLimit) < 1){
throw new ServiceException("Invalid Request: query result limit must be greater than zero");
}
else {
whereBuilder.append(" limit ");
whereBuilder.append(searchLimit);
}
return whereBuilder.toString();
如果我像上面那样注释掉sortDirection检查逻辑,Veracode扫描通过了preparedStatement(当然,它采用DB默认ASC)。但是,我希望基于用户输入的 DESC 或 ASC 的 sortDirection。在没有 SQL 注入风险的情况下添加带有检查逻辑的排序方向的任何建议?
您的评论块不应给您的查询带来任何风险。看起来这个 Veracode 工具不够智能,无法将其标记为安全。你能像下面这样重组你的代码来欺骗它吗?
if(sortDirection.equalsIgnoreCase("DESC")) {
whereBuilder.append("DESC");
} else if (sortDirection.equalsIgnoreCase("ASC")) {
whereBuilder.append("ASC");
} else {
throw new ServiceException("Invalid Request: bad sort direction - "+sortDirection);
}