使用 NamedParameterJdbcTemplate 從文件中讀取參數化查詢，解決來自 Checkmarx 的 SQL 注入錯誤

Question

查詢是從 java spring 引導應用程序的資源文件夾中的文件讀取的。 如何在下面的代碼中防止來自 Checkmarx 的 Sql 注入錯誤？

@Repository
public class ItemRepository {

  @Autowired
  NamedParameterJdbcTemplate jdbcTemplate;

  public List<Item> getData(String action) {
    String sql = IOUtils.toString(getClass().getResourceAsStream("queries/query.sql"));
    MapSqlParameterSource parameters = new MapSqlParameterSource();
    parameters.addValue("action", action, Types.VARCHAR);

    try {
      List<Item> items = jdbcTemplate.query(sql, parameters, new ItemMapper());
      return items;
    } catch (EmptyResultDataAccessException ex) {
      return new ArrayList<>();
    }
  }
}

錯誤信息：

The application's getData method executes an SQL query with query, at line 13 of ItemRepository.java. The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.

An attacker would be able to inject arbitrary syntax and data into the SQL query, by crafting a malicious payload and providing it via the input toString; this input is then read by the getData method at line 8 of ItemRepository.java. This input then flows through the code, into a query and to the database server - without sanitization.

This may enable an SQL Injection attack.

Answer 1

Checkmarx 可能會抱怨來自 stream 的 SQL 字符串。 在這種特定情況下，它來自 jar 中的資源文件，這可能是您應用程序中的受信任來源。 如果是這樣，這是一個誤報，您應該將其標記為不可利用（使用適當的推理）。