Title: Medium severity CWE-89 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02528.java:55 by appsecai-app[bot] · Pull Request #138 · AppSecureAI/BenchmarkJava100-ProdEval · GitHub
Open Graph Title: Medium severity CWE-89 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02528.java:55 by appsecai-app[bot] · Pull Request #138 · AppSecureAI/BenchmarkJava100-ProdEval
X Title: Medium severity CWE-89 vulnerability in src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02528.java:55 by appsecai-app[bot] · Pull Request #138 · AppSecureAI/BenchmarkJava100-ProdEval
Description: Vulnerability Information AppSecAI Vulnerability ID: 69654fbefc355c4beda09b6e Vulnerability: SQL Injection CWE Classification: CWE-89 Severity: Medium File: src/main/java/org/owasp/benchmark/testcode/BenchmarkTest02528.java Detection Rule: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request Description: Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead. Triage Analysis Status: Confirmed vulnerability Security Assessment: Severity: Critical Confidence: 100% Analysis User input from request.getParameterValues() flows through doSomething() without sanitization and is directly concatenated into the SQL string at line 55 using string concatenation ('{{call ' + bar + '}}'). While prepareCall() is used, the SQL string is pre-constructed with user input rather than using parameterized queries. The doSomething() method merely stores the user input in a list and retrieves it - providing no sanitization. An attacker can inject malicious SQL by crafting the BenchmarkTest02528 parameter value. Recommended Remediation Replace string concatenation with parameterized callable statements. Use placeholders in the SQL string and bind user input via setString(). Example: String sql = '{call stored_procedure(?)}'; statement.prepareCall(sql); statement.setString(1, bar); Remediation Details Fix Description: Summary Fixed SQL injection vulnerability in BenchmarkTest02528.java by adding input validation before constructing the callable statement SQL string. Bug Fix Explanation: The code constructed a SQL callable statement by directly concatenating user-controlled input (bar) into the SQL string: String sql = "{call " + bar + "}". Since bar originates from HTTP request parameters without sanitization, attackers could inject malicious SQL metacharacters to manipulate the query or execute arbitrary SQL commands. Fixed by validating the input against a whitelist pattern (^[a-zA-Z0-9_]+$) that only permits alphanumeric characters and underscores. This prevents injection of SQL metacharacters such as quotes, semicolons, hyphens, parentheses, or spaces that could be used to break out of the intended SQL context. If validation fails, the request is rejected with an error message before any database interaction occurs. This approach is secure because: Whitelist validation is the strongest defense - only explicitly allowed characters can pass through Fails closed - invalid input is rejected rather than processed Defense in depth - validation occurs before SQL construction, preventing any malicious input from reaching the database layer Complete protection - blocks all common SQL injection vectors including comment injection, query stacking, and quote escaping The fix maintains complete API compatibility, preserving all method signatures, return values, and expected behavior for legitimate stored procedure names. Changes Made: Updated source code with secure implementation This PR was generated automatically to address a security vulnerability. Please review the changes carefully before merging.
Open Graph Description: Vulnerability Information AppSecAI Vulnerability ID: 69654fbefc355c4beda09b6e Vulnerability: SQL Injection CWE Classification: CWE-89 Severity: Medium File: src/main/java/org/owasp/benchmark/testco...
X Description: Vulnerability Information AppSecAI Vulnerability ID: 69654fbefc355c4beda09b6e Vulnerability: SQL Injection CWE Classification: CWE-89 Severity: Medium File: src/main/java/org/owasp/benchmark/testco...
Opengraph URL: https://github.com/AppSecureAI/BenchmarkJava100-ProdEval/pull/138
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:200a9045-67c7-24a9-de90-bd88ada0cbcf |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | DCBA:2AE2E2:3032EEB:3E82F68:6A5CD259 |
| html-safe-nonce | 4c89d3cf2c06ba3f9d19cfd9882fbbceaa7dca4c5deca733e6d417bfe5404b9a |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEQ0JBOjJBRTJFMjozMDMyRUVCOjNFODJGNjg6NkE1Q0QyNTkiLCJ2aXNpdG9yX2lkIjoiNzgyNTUxMDA4MjQ0NDg0MTU2MSIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | dd69abe4d82f21fdc644f60d1ec2ff43e8a78fdd2c491310f787af5a497afd9e |
| hovercard-subject-tag | pull_request:3167381354 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/AppSecureAI/BenchmarkJava100-ProdEval/pull/138/files |
| twitter:image | https://avatars.githubusercontent.com/in/2416777?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/2416777?s=400&v=4 |
| og:image:alt | Vulnerability Information AppSecAI Vulnerability ID: 69654fbefc355c4beda09b6e Vulnerability: SQL Injection CWE Classification: CWE-89 Severity: Medium File: src/main/java/org/owasp/benchmark/testco... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 5290d7e14309ad1e76106a9c4237bd1041517e83ea182c8ab756752cb0c6940b |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/AppSecureAI/BenchmarkJava100-ProdEval git https://github.com/AppSecureAI/BenchmarkJava100-ProdEval.git |
| octolytics-dimension-user_id | 148882153 |
| octolytics-dimension-user_login | AppSecureAI |
| octolytics-dimension-repository_id | 1132931500 |
| octolytics-dimension-repository_nwo | AppSecureAI/BenchmarkJava100-ProdEval |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | true |
| octolytics-dimension-repository_parent_id | 1095020699 |
| octolytics-dimension-repository_parent_nwo | AppSecureAI/BenchmarkJava100-public |
| octolytics-dimension-repository_network_root_id | 1095020699 |
| octolytics-dimension-repository_network_root_nwo | AppSecureAI/BenchmarkJava100-public |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 9c975978430e9ad293956f2bbdaf153b1bd84a99 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width