Package edu.umd.cs.findbugs.detect

Class FindSqlInjection

  • All Implemented Interfaces:
    Detector, Priorities
    public class FindSqlInjection
extends java.lang.Object
implements Detector
    Find potential SQL injection vulnerabilities.

    • Field Detail

      • PREPARE_STATEMENT_SIGNATURES

        private static final java.lang.String[] PREPARE_STATEMENT_SIGNATURES

      • preparedStatementMethods

        final java.util.Map<MethodDescriptor,​int[]> preparedStatementMethods

      • openQuotePattern

        static final java.util.regex.Pattern openQuotePattern

      • closeQuotePattern

        static final java.util.regex.Pattern closeQuotePattern

      • method

        org.apache.bcel.classfile.Method method

    • Constructor Detail

      • FindSqlInjection

        public FindSqlInjection​(BugReporter bugReporter)

    • Method Detail

      • visitClassContext

        public void visitClassContext​(ClassContext classContext)
        Description copied from interface: Detector
        Visit the ClassContext for a class which should be analyzed for instances of bug patterns.
        Specified by:
        visitClassContext in interface Detector
        Parameters:
        classContext - the ClassContext

      • isStringAppend

        private boolean isStringAppend​(org.apache.bcel.generic.Instruction ins,
                               org.apache.bcel.generic.ConstantPoolGen cpg)

      • isJava9AndAboveStringAppend

        private boolean isJava9AndAboveStringAppend​(org.apache.bcel.generic.Instruction ins,
                                            org.apache.bcel.generic.ConstantPoolGen cpg)

      • isConstantStringLoad

        private boolean isConstantStringLoad​(Location location,
                                     org.apache.bcel.generic.ConstantPoolGen cpg)

      • isOpenQuote

        public static boolean isOpenQuote​(java.lang.String s)

      • isCloseQuote

        public static boolean isCloseQuote​(java.lang.String s)

      • getPreviousInstruction

        @CheckForNull
private org.apache.bcel.generic.InstructionHandle getPreviousInstruction​(org.apache.bcel.generic.InstructionHandle handle,
                                                                         boolean skipNops)

      • getPreviousLocation

        @CheckForNull
private Location getPreviousLocation​(CFG cfg,
                                     Location startLocation,
                                     boolean skipNops)

      • generateBugInstance

        private BugInstance generateBugInstance​(org.apache.bcel.classfile.JavaClass javaClass,
                                        org.apache.bcel.generic.MethodGen methodGen,
                                        org.apache.bcel.generic.InstructionHandle handle,
                                        FindSqlInjection.StringAppendState stringAppendState,
                                        boolean isExecute)

      • getPassthruParams

        private java.util.Set<ValueNumber> getPassthruParams​(ValueNumberDataflow vnd,
                                                     org.apache.bcel.classfile.Method method,
                                                     org.apache.bcel.classfile.JavaClass javaClass)

      • report

        public void report()
        Description copied from interface: Detector
        This method is called after all classes to be visited. It should be used by any detectors which accumulate information over all visited classes to generate results.
        Specified by:
        report in interface Detector