返回 Skill 列表
extension
分类: 开发与工程无需 API Key

cwe-89-sql-injection

当需要修复Java代码中的CWE-89(SQL命令中使用的特殊元素不恰当的中和)漏洞时,请使用此技能。触发于静态应用安全测试结果、安全审查或修复SQL命令中使用的特殊元素不当处理的问题。

person作者: jakexiaohubgithub

CWE-89 Improper Neutralization of Special Elements used in an SQL Command

Description

Improper Neutralization of Special Elements used in an SQL Command

Reference: https://cwe.mitre.org/data/definitions/89.html

OWASP Category: A03:2021 – Injection


Vulnerable Pattern

❌ Example 1

    public ResponseEntity<String> getCarInformationLevel1(
            @RequestParam Map<String, String> queryParams) {
        String id = queryParams.get(Constants.ID);
        BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
        return applicationJdbcTemplate.query(
                "select * from cars where id=" + id,
                (rs) -> {
                    if (rs.next()) {
                        return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
                    }
                    return bodyBuilder.body(
                            ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
                });
    }

❌ Example 2

    public ResponseEntity<String> getCarInformationLevel2(
            @RequestParam Map<String, String> queryParams) {
        String id = queryParams.get(Constants.ID);
        BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
        bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
        return applicationJdbcTemplate.query(
                "select * from cars where id='" + id + "'",
                (rs) -> {
                    if (rs.next()) {
                        return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
                    }
                    return bodyBuilder.body(
                            ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
                });
    }

Deterministic Fix

✅ Secure Implementation

    public ResponseEntity<String> getCarInformationLevel2(
            @RequestParam Map<String, String> queryParams) {
        String id = queryParams.get(Constants.ID);
        BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
        bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
        return applicationJdbcTemplate.query(
                "select * from cars where id='" + id + "'",
                (rs) -> {
                    if (rs.next()) {
                        return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
                    }
                    return bodyBuilder.body(
                            ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
                });
    }

✅ Secure Implementation

    public ResponseEntity<String> getCarInformationLevel2(
            @RequestParam Map<String, String> queryParams) {
        String id = queryParams.get(Constants.ID);
        BodyBuilder bodyBuilder = ResponseEntity.status(HttpStatus.OK);
        bodyBuilder.body(ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
        return applicationJdbcTemplate.query(
                "select * from cars where id='" + id + "'",
                (rs) -> {
                    if (rs.next()) {
                        return bodyBuilder.body(CAR_IS_PRESENT_RESPONSE);
                    }
                    return bodyBuilder.body(
                            ErrorBasedSQLInjectionVulnerability.CAR_IS_NOT_PRESENT_RESPONSE);
                });
    }

Detection Pattern

Look for these patterns in your codebase:

# Find JdbcTemplate queries with concatenation
grep -rn "jdbcTemplate.query" --include="*.java" | grep -E "\+.*\"|\".*\+"
# Find raw Statement usage
grep -rn "createStatement\(\)" --include="*.java"

Remediation Steps

  1. Identify string concatenation in SQL query construction

  2. Replace concatenated values with ? placeholders

  3. Use PreparedStatement or equivalent parameterized API

  4. Bind user input via setString(), setInt(), etc.

  5. Validate input types match expected database column types


Key Imports


import java.sql.PreparedStatement;

import org.springframework.jdbc.core.JdbcTemplate;


Verification

After remediation:

  • Re-run SAST scan - CWE-89 should be resolved

  • Test with injection payloads: ' OR '1'='1, 1; DROP TABLE--

  • Verify query still returns expected results


Trigger Examples

Fix CWE-89 vulnerability
Resolve Improper Neutralization of Special Elements used in an SQL Command issue
Secure this Java code against improper neutralization of special elements used in an sql command
SAST reports CWE-89

Common Vulnerable Locations

| Layer | Files | Patterns | |-------|-------|----------|

| Controller | *Controller.java | Query params to DB |

| Service | *Service.java | Business logic queries |

| Repository | *Repository.java | Custom queries |


References


Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07