Parameterize into array ======================= The ``array`` extraction will extract the untrusted input into a configured array. Array only has 2 properties: ``type`` defines the type of the extracted array, and ``atArgumentPosition`` determines the location at which the array will be inserted. .. note:: ``atArgumentPosition`` is 1-based, not 0-based. .. code-block:: yaml :emphasize-lines: 6-9 availableFixes: - name: "Fix the code by ..." actions: - parameterize: placeholderFormat: "?" extractUntrustedInput: array: type: "java.lang.Object[]" atArgumentPosition: 3 .. code-block:: diff :emphasize-lines: 4-5 public User searchUser(DirContext ctx, String user, String password) { - String filter = "(&(uid=" + user + ")(userpassword=" + password + "))"; + String filter = "(&(uid=?)(userpassword=?))"; - ctx.search("ou=system", filter, new SearchControls()); + ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls()); // ... } .. code-block:: diff :emphasize-lines: 4-5 public User searchUser(DirContext ctx, String user, String password) { - String filter = "(&(uid=" + user + ")(userpassword=" + password + "))"; + String filter = "(&(uid=?)(userpassword=?))"; - ctx.search("ou=system", filter, new SearchControls()); + ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls()); // ... } .. code-block:: diff :emphasize-lines: 4-5 public User searchUser(DirContext ctx, String user, String password) { - String filter = "(&(uid=" + user + ")(userpassword=" + password + "))"; + String filter = "(&(uid=?)(userpassword=?))"; - ctx.search("ou=system", filter, null, new SearchControls()); + ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls()); // ... } Sensei will use an already present array if the given ``type`` matches that of the array. .. code-block:: diff :emphasize-lines: 4-5 public User searchUser(DirContext ctx, String user, String password) { - String filter = "(&(uid=" + user + ")(userpassword=" + password + "))"; + String filter = "(&(uid=?)(userpassword=?))"; - ctx.search("ou=system", filter, new Object[0], new SearchControls()); + ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls()); // ... } .. code-block:: diff :emphasize-lines: 4-5 public User searchUser(DirContext ctx, String user, String password) { - String filter = "(&(uid=?)(userpassword=" + password + "))"; + String filter = "(&(uid=?)(userpassword=?))"; - ctx.search("ou=system", filter, new Object[]{user}, new SearchControls()); + ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls()); // ... } When performing the array extraction Sensei will determine if varargs are possible and use these if so. .. code-block:: diff :emphasize-lines: 8-9 abstract Result query(String query); abstract Result query(String query, Object... arguments); Result findUser(String name, String email) { - String s = "SELECT * FROM users WHERE name = '" + name + "' AND email = '" + email + "'"; + String s = "SELECT * FROM users WHERE name = ? AND email = ?"; - Result result = query(s); + Result result = query(s, name, email); }