Recipe Name:
Injection - SQL Injection in JPA: EntityManager#createNativeQuery
Description:
Avoid SQLi by using parameterized queries, instead of string concatenation with untrusted input
Level:
error
Language:
  • java
Tags:
  • security
  • JPA
  • injection
  • SQL
  • OWASP Top 10
Documentation

Use parameterized queries to prevent SQL injection.

Dynamically creating queries by means of concatenating (untrusted) user input puts the application at risk of SQL injection. An attacker could insert malicious input to obtain or modify data.

Before
entityManager.createNativeQuery("Select * from Books where author = " + author)
    .getResultList();
After
entityManager.createNativeQuery("Select * from Books where author = ?")
    .setParameter(1, author).getResultList();
Resources
Recipe
id: scw:db:jpa:createnativequery
version: 10
metadata:
  name: 'Injection - SQL Injection in JPA: EntityManager#createNativeQuery'
  shortDescription: Avoid SQLi by using parameterized queries, instead of string concatenation with untrusted input
  level: error
  language: java
  enabled: true
  descriptionFile: descriptions/Injection-SQLInjectioninJPAEntityManagercreateNativeQuery.html
  tags: security;JPA;injection;SQL;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: java.lang.String
        value:
          containsUntrustedInput: true
          trustedSources:
          - methodcall:
              name: format
              declaration:
                type: java.lang.String
    name:
      matches: createNativeQuery
    declaration:
      type: javax.persistence.EntityManager
availableFixes:
- name: Use parameterized queries
  actions:
  - parameterize:
      placeholderFormat: '?'
      extractUntrustedInput:
        methodsOnObject:
          methods:
          - methodName: setParameter
            args:
              "1": '{{{ index }}}'
              "2": '{{{.}}}'
          target:
            returnValue:
              useMethodChaining: true