DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Audit: Hibernate query may be vulnerable to injection attacks JAVA-A1040

Security
Critical
 a03 cwe-20 cwe-89 cwe-546 cwe-943 sans top 25 owasp top 10

Avoid creating Hibernate SQL queries with strings containing unsanitized input.

Hibernate is a high-level ORM library, but can also handle "raw" SQL queries through the Session.createQuery() and Session.createSQLQuery() methods. These methods allow one to create HQL and SQL queries respectively.

While both interfaces support parameterization, the possibility of concatenating a query string still exists. This issue will be raised if a hibernate query string appears to be dynamically generated.

Bad Practice

String userName = request.getParameter("name");
String password = request.getParameter("pass");
// An attacker could freely manipulate the value of userName or password to change the meaning of this query in some way.
List<LoginInfo> infoList = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName='" + userName + "' and password='" + password + "'").list();

Recommended

Make sure to properly parameterize data in queries to prevent such issues. If you wish to safely specify things like column names or even entity types, consider using the Criteria API to do so:

Criteria cr = session.createCriteria(LoginInfo.class);

cr.add(Restrictions.eq("userName", userName));
cr.add(Restrictions.eq("password", password));

List<LoginInfo> infoList = cr.list();

Here, care must be taken if column names also need to be varied. Ensure that invalid combinations cannot be used to avoid throwing exceptions unnecessarily.

Otherwise, it may be better to keep the query string constant, while setting only parameters.

String userName = request.getParameter("name");
String password = request.getParameter("pass");

 List<LoginInfo> infoList = sessionFactory.getCurrentSession().createQuery("from LoginInfo where userName = :username and password = :password").setParameter("username", userName).setParameter("password", password).list();

References

  • OWASP Top Ten (2021) - Category A03 - Injection
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command
  • CWE-20 - Improper Input Validation
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
  • CWE-546 - SQL Injection: Hibernate