Package edu.umd.cs.findbugs.detect
Class FindSqlInjection
java.lang.Object
edu.umd.cs.findbugs.detect.FindSqlInjection
- All Implemented Interfaces:
Detector
,Priorities
Find potential SQL injection vulnerabilities.
-
Nested Class Summary
Nested Classes -
Field Summary
FieldsModifier and TypeFieldDescription(package private) final Set
<MethodDescriptor> (package private) BugAccumulator
(package private) BugReporter
(package private) ClassContext
(package private) static final Pattern
private static final MethodDescriptor[]
(package private) final Map
<MethodDescriptor, int[]> (package private) org.apache.bcel.classfile.Method
(package private) static final Pattern
private static final String[]
(package private) final Map
<MethodDescriptor, int[]> Fields inherited from interface edu.umd.cs.findbugs.Priorities
EXP_PRIORITY, HIGH_PRIORITY, IGNORE_PRIORITY, LOW_PRIORITY, NORMAL_PRIORITY
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionprivate void
analyzeMethod
(ClassContext classContext, org.apache.bcel.classfile.Method method) private BugInstance
generateBugInstance
(org.apache.bcel.classfile.JavaClass javaClass, org.apache.bcel.generic.MethodGen methodGen, org.apache.bcel.generic.InstructionHandle handle, FindSqlInjection.StringAppendState stringAppendState, boolean isExecute) private Set
<ValueNumber> getPassthruParams
(ValueNumberDataflow vnd, org.apache.bcel.classfile.Method method, org.apache.bcel.classfile.JavaClass javaClass) private org.apache.bcel.generic.InstructionHandle
getPreviousInstruction
(org.apache.bcel.generic.InstructionHandle handle, boolean skipNops) private Location
getPreviousLocation
(CFG cfg, Location startLocation, boolean skipNops) getStringAppendState
(ClassContext ctx, CFG cfg, org.apache.bcel.generic.ConstantPoolGen cpg) private Location
static boolean
private boolean
isConstantStringLoad
(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) private boolean
isJava9AndAboveStringAppend
(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg) static boolean
private boolean
isSafeValue
(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) private boolean
isStringAppend
(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg) void
report()
This method is called after all classes to be visited.updateJava9AndAboveStringAppendState
(ClassContext ctx, Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState) updateStringAppendState
(Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState) void
visitClassContext
(ClassContext classContext) Visit the ClassContext for a class which should be analyzed for instances of bug patterns.
-
Field Details
-
PREPARE_STATEMENT_SIGNATURES
-
EXECUTE_METHODS
-
bugReporter
BugReporter bugReporter -
bugAccumulator
BugAccumulator bugAccumulator -
preparedStatementMethods
-
executeMethods
-
allMethods
-
openQuotePattern
-
closeQuotePattern
-
method
org.apache.bcel.classfile.Method method -
classContext
ClassContext classContext
-
-
Constructor Details
-
FindSqlInjection
-
-
Method Details
-
visitClassContext
Description copied from interface:Detector
Visit the ClassContext for a class which should be analyzed for instances of bug patterns.- Specified by:
visitClassContext
in interfaceDetector
- Parameters:
classContext
- the ClassContext
-
isStringAppend
private boolean isStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg) -
isJava9AndAboveStringAppend
private boolean isJava9AndAboveStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg) -
isConstantStringLoad
private boolean isConstantStringLoad(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) -
isOpenQuote
-
isCloseQuote
-
updateStringAppendState
private FindSqlInjection.StringAppendState updateStringAppendState(Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState) -
updateJava9AndAboveStringAppendState
private FindSqlInjection.StringAppendState updateJava9AndAboveStringAppendState(ClassContext ctx, Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState) -
getStringAppendState
private FindSqlInjection.StringAppendState getStringAppendState(ClassContext ctx, CFG cfg, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException - Throws:
CFGBuilderException
-
isSafeValue
private boolean isSafeValue(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException - Throws:
CFGBuilderException
-
getPreviousInstruction
@CheckForNull private org.apache.bcel.generic.InstructionHandle getPreviousInstruction(org.apache.bcel.generic.InstructionHandle handle, boolean skipNops) -
getPreviousLocation
-
generateBugInstance
private BugInstance generateBugInstance(org.apache.bcel.classfile.JavaClass javaClass, org.apache.bcel.generic.MethodGen methodGen, org.apache.bcel.generic.InstructionHandle handle, FindSqlInjection.StringAppendState stringAppendState, boolean isExecute) -
analyzeMethod
private void analyzeMethod(ClassContext classContext, org.apache.bcel.classfile.Method method) throws DataflowAnalysisException, CFGBuilderException -
getValueNumberCreationLocation
-
getPassthruParams
private Set<ValueNumber> getPassthruParams(ValueNumberDataflow vnd, org.apache.bcel.classfile.Method method, org.apache.bcel.classfile.JavaClass javaClass) -
report
public void report()Description copied from interface:Detector
This method is called after all classes to be visited. It should be used by any detectors which accumulate information over all visited classes to generate results.
-