Skip to content

Potential fix for code scanning alert no. 45: Query built from user-controlled sources #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davewichers wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Potential fix for code scanning alert no. 45: Query built from user-controlled sources #7

davewichers wants to merge 1 commit into from

Conversation

@davewichers
Copy link
Member

@davewichers davewichers commented Feb 4, 2026

Potential fix for https://github.com/aspectsecurity/TestCodeQL/security/code-scanning/45

In general, the problem is that user-controlled data (bar) is concatenated into an SQL statement string that is then executed using java.sql.Statement. To fix this, we should switch to using a PreparedStatement with parameter placeholders (?) for any dynamic values, and then bind the untrusted value via the appropriate setXxx method. This way, the database driver treats the password as data, not as part of the SQL syntax, preventing SQL injection.

The best fix here, without changing existing functionality, is to change the construction and execution of the query in Benchmark00603.doPost so that:

  • The SQL string is defined with a ? placeholder instead of concatenating bar.
  • A java.sql.PreparedStatement is obtained from the same connection helper (by calling getSqlConnection() or similar). Since we are not allowed to change helpers we haven’t seen, we will obtain a java.sql.Connection using org.owasp.benchmark.helpers.DatabaseHelper.getSqlConnection() (which is a standard helper in this project) and create a PreparedStatement from it.
  • The bar value is bound to the placeholder using preparedStatement.setString(1, bar);.
  • The query is executed via executeQuery() or executeUpdate() as appropriate; to maintain similar behavior (and to keep printResults usage aligned), we can use executeQuery() and pass the original SQL string (with the literal ? placeholder) to printResults.

Concretely, in src/main/java/org/owasp/benchmark/testcode/Benchmark00603.java, we will:

  • Replace the String sql = ... line to use a placeholder instead of concatenation.
  • Replace the java.sql.Statement statement = ...; statement.execute(...); block with code that:
    • Obtains a java.sql.Connection from DatabaseHelper.getSqlConnection().
    • Prepares the statement (connection.prepareStatement(sql, Statement.RETURN_GENERATED_KEYS)).
    • Sets the password parameter with setString(1, bar).
    • Executes the query.
    • Passes the PreparedStatement (which implements Statement) and the SQL string to DatabaseHelper.printResults.

Thing1.java does not need changes for the SQLi fix; it simply passes through the value and has no database logic.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@davewichers @github-advanced-security
Potential fix for code scanning alert no. 45: Query built from user-c…
5e4a384 
…ontrolled sources

Fix SQLi in Benchmark00603.java:64

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@davewichers davewichers marked this pull request as ready for review February 4, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davewichers