Parameterize into arrayΒΆ
The array extraction will extract the untrusted input into a configured array.
Array only has 2 properties: type defines the type of the extracted array, and
atArgumentPosition determines the location at which the array will be inserted.
Note
atArgumentPosition is 1-based, not 0-based.
availableFixes:
- name: "Fix the code by ..."
actions:
- parameterize:
placeholderFormat: "?"
extractUntrustedInput:
array:
type: "java.lang.Object[]"
atArgumentPosition: 3
public User searchUser(DirContext ctx, String user, String password) {
- String filter = "(&(uid=" + user + ")(userpassword=" + password + "))";
+ String filter = "(&(uid=?)(userpassword=?))";
- ctx.search("ou=system", filter, new SearchControls());
+ ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls());
// ...
}
public User searchUser(DirContext ctx, String user, String password) {
- String filter = "(&(uid=" + user + ")(userpassword=" + password + "))";
+ String filter = "(&(uid=?)(userpassword=?))";
- ctx.search("ou=system", filter, new SearchControls());
+ ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls());
// ...
}
public User searchUser(DirContext ctx, String user, String password) {
- String filter = "(&(uid=" + user + ")(userpassword=" + password + "))";
+ String filter = "(&(uid=?)(userpassword=?))";
- ctx.search("ou=system", filter, null, new SearchControls());
+ ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls());
// ...
}
Sensei will use an already present array if the given type matches that of the array.
public User searchUser(DirContext ctx, String user, String password) {
- String filter = "(&(uid=" + user + ")(userpassword=" + password + "))";
+ String filter = "(&(uid=?)(userpassword=?))";
- ctx.search("ou=system", filter, new Object[0], new SearchControls());
+ ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls());
// ...
}
public User searchUser(DirContext ctx, String user, String password) {
- String filter = "(&(uid=?)(userpassword=" + password + "))";
+ String filter = "(&(uid=?)(userpassword=?))";
- ctx.search("ou=system", filter, new Object[]{user}, new SearchControls());
+ ctx.search("ou=system", filter, new Object[]{user, password}, new SearchControls());
// ...
}
When performing the array extraction Sensei will determine if varargs are possible and use these if so.
abstract Result query(String query);
abstract Result query(String query, Object... arguments);
Result findUser(String name, String email)
{
- String s = "SELECT * FROM users WHERE name = '" + name + "' AND email = '" + email + "'";
+ String s = "SELECT * FROM users WHERE name = ? AND email = ?";
- Result result = query(s);
+ Result result = query(s, name, email);
}