Non-safe string is used as SQL
Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL, JPA QL, Hibernate QL and PostgreSQL
A safe object is:
a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object
a result of a call of a method, whose receiver and arguments are safe
a private field in the same file, which is assigned only with a string literal and has a safe initializer
a final field in the same file, which has a safe initializer
a local variable which is assigned from safe-objects. This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable.
Static final fields are considered as safe.
The analysis is performed only inside one file. Example:
New in 2023.2
Inspection options
Option | Type | Default |
|---|---|---|
Consider parameters of private methods as safe | Checkbox | true |
Consider private or final fields in the same class as safe | Checkbox | true |
Report strings that are too complex to verify | Checkbox | false |
Untainted annotations | StringList | [javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted] |
Safe classes | StringList | [java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass, char, java.lang.Character, kotlin.Char, int, java.lang.Integer, kotlin.Int, long, java.lang.Long, kotlin.Long] |
Untainted methods | Table | None |
Class Name | TableColumn | [] |
Method Name Regex | TableColumn | [] |
Inspection Details | |
|---|---|
Available in: | IntelliJ IDEA 2023.3, Qodana for JVM 2023.3 |
Plugin: | Persistence Frameworks, 233.SNAPSHOT |