Class FindSqlInjection

java.lang.Object
edu.umd.cs.findbugs.detect.FindSqlInjection
All Implemented Interfaces:
Detector, Priorities
public class FindSqlInjection extends Object implements Detector
Find potential SQL injection vulnerabilities.

  • Field Details

    • PREPARE_STATEMENT_SIGNATURES

      private static final String[] PREPARE_STATEMENT_SIGNATURES

    • EXECUTE_METHODS

      private static final MethodDescriptor[] EXECUTE_METHODS

    • bugReporter

      BugReporter bugReporter

    • bugAccumulator

      BugAccumulator bugAccumulator

    • preparedStatementMethods

      final Map<MethodDescriptor, int[]> preparedStatementMethods

    • executeMethods

      final Map<MethodDescriptor, int[]> executeMethods

    • allMethods

      final Set<MethodDescriptor> allMethods

    • openQuotePattern

      static final Pattern openQuotePattern

    • closeQuotePattern

      static final Pattern closeQuotePattern

    • method

      org.apache.bcel.classfile.Method method

    • classContext

      ClassContext classContext

  • Constructor Details

    • FindSqlInjection

      public FindSqlInjection(BugReporter bugReporter)

  • Method Details

    • visitClassContext

      public void visitClassContext(ClassContext classContext)
      Description copied from interface: Detector
      Visit the ClassContext for a class which should be analyzed for instances of bug patterns.
      Specified by:
      visitClassContext in interface Detector
      Parameters:
      classContext - the ClassContext

    • isStringAppend

      private boolean isStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg)

    • isJava9AndAboveStringAppend

      private boolean isJava9AndAboveStringAppend(org.apache.bcel.generic.Instruction ins, org.apache.bcel.generic.ConstantPoolGen cpg)

    • isConstantStringLoad

      private boolean isConstantStringLoad(Location location, org.apache.bcel.generic.ConstantPoolGen cpg)

    • isOpenQuote

      public static boolean isOpenQuote(String s)

    • isCloseQuote

      public static boolean isCloseQuote(String s)

    • updateStringAppendState

      private FindSqlInjection.StringAppendState updateStringAppendState(Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState)

    • updateJava9AndAboveStringAppendState

      private FindSqlInjection.StringAppendState updateJava9AndAboveStringAppendState(ClassContext ctx, Location location, org.apache.bcel.generic.ConstantPoolGen cpg, FindSqlInjection.StringAppendState stringAppendState)

    • getStringAppendState

      private FindSqlInjection.StringAppendState getStringAppendState(ClassContext ctx, CFG cfg, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException
      Throws:
      CFGBuilderException

    • isSafeValue

      private boolean isSafeValue(Location location, org.apache.bcel.generic.ConstantPoolGen cpg) throws CFGBuilderException
      Throws:
      CFGBuilderException

    • getPreviousInstruction

      @CheckForNull private org.apache.bcel.generic.InstructionHandle getPreviousInstruction(org.apache.bcel.generic.InstructionHandle handle, boolean skipNops)

    • getPreviousLocation

      @CheckForNull private Location getPreviousLocation(CFG cfg, Location startLocation, boolean skipNops)

    • generateBugInstance

      private BugInstance generateBugInstance(org.apache.bcel.classfile.JavaClass javaClass, org.apache.bcel.generic.MethodGen methodGen, org.apache.bcel.generic.InstructionHandle handle, FindSqlInjection.StringAppendState stringAppendState, boolean isExecute)

    • analyzeMethod

      private void analyzeMethod(ClassContext classContext, org.apache.bcel.classfile.Method method) throws DataflowAnalysisException, CFGBuilderException
      Throws:
      DataflowAnalysisException
      CFGBuilderException

    • getValueNumberCreationLocation

      private Location getValueNumberCreationLocation(ValueNumberDataflow vnd, ValueNumber vn)

    • getPassthruParams

      private Set<ValueNumber> getPassthruParams(ValueNumberDataflow vnd, org.apache.bcel.classfile.Method method, org.apache.bcel.classfile.JavaClass javaClass)

    • report

      public void report()
      Description copied from interface: Detector
      This method is called after all classes to be visited. It should be used by any detectors which accumulate information over all visited classes to generate results.
      Specified by:
      report in interface Detector