Class FindSqlInjection

java.lang.Object
edu.umd.cs.findbugs.detect.FindSqlInjection
All Implemented Interfaces:
Detector, Priorities

public class FindSqlInjection extends Object implements Detector
Find potential SQL injection vulnerabilities.
  • Field Details

    • PREPARE_STATEMENT_SIGNATURES

      private static final String[] PREPARE_STATEMENT_SIGNATURES
    • EXECUTE_METHODS

      private static final MethodDescriptor[] EXECUTE_METHODS
    • bugReporter

      BugReporter bugReporter
    • bugAccumulator

      BugAccumulator bugAccumulator
    • preparedStatementMethods

      final Map<MethodDescriptor,int[]> preparedStatementMethods
    • executeMethods

      final Map<MethodDescriptor,int[]> executeMethods
    • allMethods

      final Set<MethodDescriptor> allMethods
    • openQuotePattern

      static final Pattern openQuotePattern
    • closeQuotePattern

      static final Pattern closeQuotePattern
    • method

      org.apache.bcel.classfile.Method method
    • classContext

      ClassContext classContext
  • Constructor Details

    • FindSqlInjection

      public FindSqlInjection(BugReporter bugReporter)
  • Method Details

    • visitClassContext

      public void visitClassContext(ClassContext classContext)
      Description copied from interface: Detector
      Visit the ClassContext for a class which should be analyzed for instances of bug patterns.
      Specified by:
      visitClassContext in interface Detector
      Parameters:
      classContext - the ClassContext
    • isStringAppend

      private boolean isStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg)
    • isJava9AndAboveStringAppend

      private boolean isJava9AndAboveStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg)
    • isConstantStringLoad

      private boolean isConstantStringLoad(Location location, org.apache.bcel.generic.ConstantPoolGen cpg)
    • isOpenQuote

      public static boolean isOpenQuote(String s)
    • isCloseQuote

      public static boolean isCloseQuote(String s)
    • updateStringAppendState

      private FindSqlInjection.StringAppendState updateStringAppendState(Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState)
    • updateJava9AndAboveStringAppendState

      private FindSqlInjection.StringAppendState updateJava9AndAboveStringAppendState(ClassContext ctx, Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState)
    • getStringAppendState

      private FindSqlInjection.StringAppendState getStringAppendState(ClassContext ctx, CFG cfg, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException
      Throws:
      CFGBuilderException
    • isSafeValue

      private boolean isSafeValue(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException
      Throws:
      CFGBuilderException
    • getPreviousInstruction

      @CheckForNull private org.apache.bcel.generic.InstructionHandle getPreviousInstruction(org.apache.bcel.generic.InstructionHandle handle, boolean skipNops)
    • getPreviousLocation

      @CheckForNull private Location getPreviousLocation(CFG cfg, Location startLocation, boolean skipNops)
    • generateBugInstance

      private BugInstance generateBugInstance(org.apache.bcel.classfile.JavaClass javaClass, org.apache.bcel.generic.MethodGen methodGen, org.apache.bcel.generic.InstructionHandle handle, FindSqlInjection.StringAppendState stringAppendState, boolean isExecute)
    • analyzeMethod

      private void analyzeMethod(ClassContext classContext, org.apache.bcel.classfile.Method method) throws DataflowAnalysisException, CFGBuilderException
      Throws:
      DataflowAnalysisException
      CFGBuilderException
    • getValueNumberCreationLocation

      private Location getValueNumberCreationLocation(ValueNumberDataflow vnd, ValueNumber vn)
    • getPassthruParams

      private Set<ValueNumber> getPassthruParams(ValueNumberDataflow vnd, org.apache.bcel.classfile.Method method, org.apache.bcel.classfile.JavaClass javaClass)
    • report

      public void report()
      Description copied from interface: Detector
      This method is called after all classes to be visited. It should be used by any detectors which accumulate information over all visited classes to generate results.
      Specified by:
      report in interface Detector