Reintroduce the Java sast-rule find_sec_bugs.CUSTOM_INJECTION-2
We removed this rule as it generated too many false positives. However a customer of us still found value in this rule, after tweaking it to improve its signal-to-noise.
Here is the customer's version:
rules:
- id: secarch-java-sqli
patterns:
- metavariable-regex:
metavariable: $QUERY
regex: (?i)(SELECT|INSERT\sINTO|UPDATE\s(.*)\sSET|DELETE\sFROM)\b
- pattern-not-regex: \?..
- pattern-not-regex: :..
- pattern-not-inside: |
final String $VAR = ...;
- pattern-not-inside: |
@SqlQuery("$QUERY")
- pattern-not-inside: |
@SqlBatch("$QUERY")
- pattern-either:
- patterns:
- pattern-inside: |
"$QUERY" + ...
- pattern-not-inside: |
"$QUERY" + "..."
- patterns:
- pattern: String.format("$QUERY", ...)
- pattern-not: String.format("$QUERY", "...")
- pattern-not: String.format("$QUERY")
- patterns:
- pattern: |
"$QUERY".concat(...)
- pattern-not: |
"$QUERY".concat("...")
- pattern: (StringBuilder $BUILDER). ... .append("$QUERY")
- patterns:
- pattern-inside: |
StringBuilder $BUILDER = new StringBuilder("$QUERY");
...
- pattern: $BUILDER.append(...)
- pattern-not: $BUILDER.append("...")
- patterns:
- pattern-inside: |
$VAR = "$QUERY";
...
- pattern: $VAR += ...
- pattern-not: $VAR += "..."
message: The method identified is susceptible to injection. The input should be
validated and properly escaped.
languages:
- java
severity: WARNING
metadata:
category: security
shortDescription: Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
cwe: CWE-89
Edited by Dinesh Bolkensteyn