In the code below, string param is
tainted because it is returned from a source method
getParameter. So is buf1, because it is derived from
param in the call to append on line 6. Finally, string
query is passed to sink method executeQuery.
1 String param = req.getParameter("user");
2
3 StringBuffer buf1;
4 StringBuffer buf2;
5 ...
6 buf1.append(param);
7 String query = buf2.toString();
8 con.executeQuery(query);
Unless we know that variables buf1 and buf2 may never
refer to the same object, we would have to conservatively
assume that they may. Since buf1 is tainted, variable
query may also refer to a tainted object. Thus a conservative
tool that lacks additional information about pointers
will flag the call to executeQuery on line 8 as potentially
unsafe.
This code snippet obtains a user name (userName) by invoking
request.getParameter("name") and uses it to
construct a query to be passed to a database for execution
(con.execute(query)). This seemingly innocent piece
of code may allow an attacker to gain access to unauthorized
information: if an attacker has full control of string
userName obtained from an HTTP request, he can for
example set it to ’OR 1 = 1;−−. Two dashes are used
to indicate comments in the Oracle dialect of SQL, so the
WHERE clause of the query effectively becomes the tautology
name = ’’ OR 1 = 1. This allows the attacker
to circumvent the name check and get access to all user
records in the database
现在这个漏洞还有吗?