Geek Answers Handbook

Finding a way to prevent java.sql.Statement from being used in a project

Our team is committed to ensuring better compliance with OWASP recommendations, and one of our goals is to prevent SQL Injection attacks. To facilitate this, I was looking for a way to automatically check the use java.sql.Statementin our code base, so this can be marked and changed to use PreparedStatement.

Our build process is based on Maven, and we also have Sonar setup to run project analytics. Some rules are already set in Sonar to refuse our assemblies if certain threshold values ​​are satisfied, so this can be implemented there. I saw where I can set up a checkstyle regex rule looking for imports, but I wanted to see if there are other options.

Any place along the development / assembly path will work. If there is something in intellij that would mean something in the maven build process or otherwise, to mark it in Sonar, any of them would be okay.

Thank!!

+5
source share
3 answers

I propose creating an architectural constraint in Sonar.

This example shows a rule prohibiting the use of the * java.sql classes. **.

+7
source

I have not used it, but PMD looks like it can be a good tool for this.

+1
source

- java.sql.Connection? factory, -. - , / , createStatement() .

public class ProxyConnection implements Connection {
    private Connection realConnection;

    public ProxyConnection(Connection realConnection) {
        this.realConnection = realConnection;
    }

    public Statement createStatement() throws SQLException {
       // could the offenders
       createCounter.incrementAndGet();
       // log the callers -- expensive so maybe every 100th or every 10 secs
       logger.info("call to createStatment", new Exception("createStatement"));
       // maybe just throw
       if (throwOnBadCall) {
           throw new SQLException("calls to createStatement aren't allowed"));
       }
       return realConnection.createStatement();
    }

, volatile boolean logBadCall, . , , 80% - , , .

If you do not have a centralized location for the connection, then you may have to put the connection pool or factory in the chain a little.

Hope this helps.

0
source

More articles:


All Articles