Veracode Scan and CWE-89 (SQL Injection)

[Brian Campbell]

We recently transitioned from BoneCP to HikariCP.  We use Veracode to do security scanning as part of our continuous integration build process.  There were flaws reported against Hikari under the CWE-89 (SQL Injection) flaw.  The two classes flagged were the ProxyStatement and ProxyPreparedStatement classes.

After reading the "Down the Rabbit Hole" article I believe that these three instances of "execute*()" should be mitigated as "by design" due to Hikari intercepting all of these interactions with the java.sql.* classes to properly manage connections.

Can someone confirm this or correct me?

Thanks,

Brian

[Brett Wooldridge]

Hi Brian,

I would consider that a false positive.  All of the proxy execute() methods simply call the delegate (real) connection, like so:

   public boolean execute(String sql) throws SQLException

   {

      connection.markCommitStateDirty();

      return delegate.execute(sql);

   }

So, if there is a SQL injection issue, it would be with the underlying driver and not HikariCP.

Regards,

Brett

[Brian Pontarelli]

It's probably much more likely that it is in the application rather than the driver. ;)

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "HikariCP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hikari-cp+...@googlegroups.com.
Visit this group at https://groups.google.com/group/hikari-cp.
For more options, visit https://groups.google.com/d/optout.

[Brian Campbell]

Thanks for the replies.  I agree that these are false positives and that it's up to the application to guard against the various sql injection scenarios as long as connection pools are only proxying the calls.