Findbugs 未发现潜在的 SQL 注入漏洞
我刚刚安装了 Eclipse 的 FindBugs 插件,希望它能帮助我找到代码中的 SQL 注入漏洞。 但是,即使我故意放入一些内容,它似乎也没有找到任何内容。
在以下示例中,假设 staticFinalBaseQuery 声明如下:
public static final String staticFinalBaseQuery = "SELECT foo FROM table其中 id = '";
并假设 userInputfilterString 是包装示例片段的方法的参数。 它直接来自用户输入,并且未经净化。
例如,以下代码片段不会触发警告:
String query = staticFinalBaseQuery + userInputfilterString;
pstmt = dbConnection.prepareStatement(query);
其中 staticFinalBaseQuery 是静态最终字符串,而 userInputfilterString 是直接来自用户输入的字符串,仅在运行时可用,而不是根本擦洗不了。 显然,这是一个漏洞。
我希望触发“A prepared statements is generated from a nonconstant String”警告。
以下代码片段也不会导致警告(这并不奇怪,因为它们的编译形式可能是相同的):
pstmt = dbConnection.prepareStatement(staticFinalBaseQuery + userInputfilterString);
但是,这将导致警告:
pstmt = dbConnection.prepareStatement(staticFinalBaseQuery + userInputfilterString + "'");
如果我附加空字符串或空格,则不会触发警告。
所以,我的问题是,如何让 FindBugs 在我的第一个示例中触发? 我也很好奇为什么第一个不会引起警告,但最后一个会引起警告?
提前致谢!
编辑:我已提交FindBugs 的错误跟踪系统的错误,因为看起来这可能是一个错误。 但是,如果有人有任何建议,我很想听听。
I just installed the FindBugs plugin for Eclipse, with the hope that it will help me find SQL injection vulnerabilities in my code. However, it doesn't seem to be finding anything, even when I deliberately put some in.
In the following examples, assume staticFinalBaseQuery is declared as follows:
public static final String staticFinalBaseQuery = "SELECT foo FROM table where id = '";
and assume userInputfilterString is an argument to the method wrapping the example snippets. It comes direct from user input, and is not sanitized.
For example, the following snippet will not trigger a warning:
String query = staticFinalBaseQuery + userInputfilterString;
pstmt = dbConnection.prepareStatement(query);
Where staticFinalBaseQuery is a static final string, and userInputfilterString is a string direct from user input, available only at runtime, not scrubbed at all. Clearly, this is a vulnerability.
I expect the "A prepared statement is generated from a nonconstant String" warning to be triggered.
The following snippet also does not cause a warning (not surprising, since the compiled forms of these are probably identical):
pstmt = dbConnection.prepareStatement(staticFinalBaseQuery + userInputfilterString);
However, this will cause a warning:
pstmt = dbConnection.prepareStatement(staticFinalBaseQuery + userInputfilterString + "'");
If I append an empty string, or a space, no warning is triggered.
So, my question is, how can I get FindBugs to trigger on my first example? I am also curious why the first doesn't cause a warning, but the last does?
Thanks in advance!
EDIT: I submitted a bug to FindBugs's bug tracking system, as it seems this might be a bug. However, if anyone has any tips, I'd love to hear them.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这里很难区分安全代码和不安全代码。 当然,userInputfilterString可能不安全,但在编译时无法确定这一点。 然而,字符串连接中的单引号字符是使用可注入代码的明显标志。 这就是为什么 FindBugs 在包含该字符的行上触发,但不在仅包含字符串连接的行上触发。
基本上,这不是一个错误,而是软件检查 SQL 注入的能力的限制。 由于字符串可能包含任何东西(即它可能在另一个函数中具有易受攻击的连接),因此不可能让工具确定存在问题。
It is hard to distinguish between safe code and unsafe code here. Sure, userInputfilterString may be unsafe, but it is impossible to determine this at compile time. However, the single-quote character in a string concatenation is a tell-tale sign of using inject-able code. That's why FindBugs is triggering on the line containing this character, but not on the line with mere string concatenation.
Basically, this isn't a bug, but a limitation of how much can be done by software to check for SQL injection. Since the string may contain anything (i.e. it could have the vulnerable concatenation in another function) it is impossible to have the tool determine with any certainty that a problem exists.
我不认为 PMD 或 Checkstyle 也会捕获它,但你可以尝试一下(我经常使用这三个,很好用的工具)。
编辑:PMD 是正确的链接,但我称其为 findbugs...findbugs 在大脑上我猜...
I don't think PMD or Checkstyle will catch it either, but you might give them a try (I use all 3 on a regular basis, good tools to use).
EDIT: PMD was the correct link, but I called it findbugs... findbugs on the brain I guess...
考虑升级到商业软件,例如 http://www.ouncelabs.com/ 这将非常适合您的目的更好的...
Consider upgrading to commercial software such as http://www.ouncelabs.com/ which will serve your purpose much better...