Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query.
It can be a cause of SQL injections.
The list of methods is taken from Settings - Language Injections for
SQL, JPA QL, Hibernate QL and PostgreSQL
A safe object is:
- a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object
- a result of a call of a method, whose receiver and arguments are safe
- a private field in the same file, which is assigned only with a string literal and has a safe initializer
- a final field in the same file, which has a safe initializer
- a local variable which is assigned from safe-objects
This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its
wrapper or immutable.
Static final fields are considered as safe.
The analysis is performed only inside one file.
Example:
public void save(String sql) {
JdbcTemplate jdbcTemplate = new JdbcTemplate();
jdbcTemplate.queryForList(sql);
}
New in 2023.2