Class FindSqlInjection

  • All Implemented Interfaces:
    Detector, Priorities

    public class FindSqlInjection
    extends java.lang.Object
    implements Detector
    Find potential SQL injection vulnerabilities.
    • Field Detail

      • PREPARE_STATEMENT_SIGNATURES

        private static final java.lang.String[] PREPARE_STATEMENT_SIGNATURES
      • preparedStatementMethods

        final java.util.Map<MethodDescriptor,​int[]> preparedStatementMethods
      • openQuotePattern

        static final java.util.regex.Pattern openQuotePattern
      • closeQuotePattern

        static final java.util.regex.Pattern closeQuotePattern
      • method

        org.apache.bcel.classfile.Method method
    • Constructor Detail

      • FindSqlInjection

        public FindSqlInjection​(BugReporter bugReporter)
    • Method Detail

      • visitClassContext

        public void visitClassContext​(ClassContext classContext)
        Description copied from interface: Detector
        Visit the ClassContext for a class which should be analyzed for instances of bug patterns.
        Specified by:
        visitClassContext in interface Detector
        Parameters:
        classContext - the ClassContext
      • isStringAppend

        private boolean isStringAppend​(org.apache.bcel.generic.Instruction ins,
                                       org.apache.bcel.generic.ConstantPoolGen cpg)
      • isJava9AndAboveStringAppend

        private boolean isJava9AndAboveStringAppend​(org.apache.bcel.generic.Instruction ins,
                                                    org.apache.bcel.generic.ConstantPoolGen cpg)
      • isConstantStringLoad

        private boolean isConstantStringLoad​(Location location,
                                             org.apache.bcel.generic.ConstantPoolGen cpg)
      • isOpenQuote

        public static boolean isOpenQuote​(java.lang.String s)
      • isCloseQuote

        public static boolean isCloseQuote​(java.lang.String s)
      • getPreviousInstruction

        @CheckForNull
        private org.apache.bcel.generic.InstructionHandle getPreviousInstruction​(org.apache.bcel.generic.InstructionHandle handle,
                                                                                 boolean skipNops)
      • getPreviousLocation

        @CheckForNull
        private Location getPreviousLocation​(CFG cfg,
                                             Location startLocation,
                                             boolean skipNops)
      • generateBugInstance

        private BugInstance generateBugInstance​(org.apache.bcel.classfile.JavaClass javaClass,
                                                org.apache.bcel.generic.MethodGen methodGen,
                                                org.apache.bcel.generic.InstructionHandle handle,
                                                FindSqlInjection.StringAppendState stringAppendState,
                                                boolean isExecute)
      • getPassthruParams

        private java.util.Set<ValueNumber> getPassthruParams​(ValueNumberDataflow vnd,
                                                             org.apache.bcel.classfile.Method method,
                                                             org.apache.bcel.classfile.JavaClass javaClass)
      • report

        public void report()
        Description copied from interface: Detector
        This method is called after all classes to be visited. It should be used by any detectors which accumulate information over all visited classes to generate results.
        Specified by:
        report in interface Detector