[英]Looking for a way to prevent to usage of java.sql.Statement in project
Our team is looking to have better compliance with the OWASP guidelines, and one of the tasks is the prevention of SQL Injection attacks. 我们的团队希望更好地遵守OWASP指南,其中一项任务是防止SQL注入攻击。 In order to facilitate this, I was looking for a way to automatically check for the usage of java.sql.Statement
in our codebase, so this could be flagged and changed to use PreparedStatement
. 为了方便这一点,我一直在寻找一种方法来自动检查我们的代码库中java.sql.Statement
的用法,因此可以标记并更改为使用PreparedStatement
。
Our build process is based on Maven and we also have Sonar setup to run analytics on the project. 我们的构建过程基于Maven,我们还有Sonar设置来对项目进行分析。 Some rules are already in place in Sonar to fail our builds if certain thresholds are met, so this could be implemented there. 如果满足某些阈值,Sonar中已经存在一些规则使我们的构建失败,因此可以在那里实现。 I have seen where I could setup a checkstyle regex rule looking for the import, but I wanted to see if there were other options as well. 我已经看到我可以在哪里设置checkstyle regex规则来查找导入,但我想看看是否还有其他选项。
Any location along the development/build path would work. 开发/构建路径上的任何位置都可以工作。 If there were something in intellij that would flag this, something in the maven build process, or a different way to flag this in Sonar, any of these would be fine. 如果intellij中有一些东西可以标记这个,maven构建过程中的某些东西,或者在Sonar中标记这个的不同方式,那么任何这些都可以。
Thanks!! 谢谢!!
I would suggest creating an architectural constraint within Sonar. 我建议在Sonar中创建一个架构约束 。
The example demonstrates a rule banning the use of *java.sql.** classes. 该示例演示了禁止使用* java.sql。**类的规则。
我没有使用它,但PMD看起来可能是一个很好的工具。
Instead of detecting class usage, could you instead detect their generation with a java.sql.Connection
proxy? 您可以使用java.sql.Connection
代理检测它们的生成,而不是检测类的使用吗? When you get your connection from the factory, you would wrap it in your proxy. 当您从工厂获得连接时,您可以将其包装在代理中。 Your proxy would be instrumented to could method calls, log query strings, and/or report on stack traces when folks are using createStatement()
or other off-limit calls. 当人们使用createStatement()
或其他限制调用时,您的代理将被检测到方法调用,日志查询字符串和/或报告堆栈跟踪。
public class ProxyConnection implements Connection {
private Connection realConnection;
public ProxyConnection(Connection realConnection) {
this.realConnection = realConnection;
}
public Statement createStatement() throws SQLException {
// could the offenders
createCounter.incrementAndGet();
// log the callers -- expensive so maybe every 100th or every 10 secs
logger.info("call to createStatment", new Exception("createStatement"));
// maybe just throw
if (throwOnBadCall) {
throw new SQLException("calls to createStatement aren't allowed"));
}
return realConnection.createStatement();
}
If you don't want to get too heavy in production then you could always count them and have a volatile boolean logBadCall
type of flag to only enable the checking for a period of time to sample looking for problems. 如果你不想在生产中过于沉重,那么你总是可以计算它们并且具有一个volatile boolean logBadCall
类型的标志,只允许检查一段时间来抽样寻找问题。 Maybe initially you do some sampling, attack the 80% locations and then only have the detection on permanently when you've taken care of the high query load parts of your application. 也许最初你会做一些采样,攻击80%的位置,然后只有在你处理应用程序的高查询负载部分时才会永久检测。
If you do not have a central location to wrap the connection then you may have to wrap the connection pool or the factory up the chain a bit. 如果您没有中心位置来包装连接,那么您可能需要将连接池或工厂包装起来。
Hope this helps. 希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.