Non-safe string is used as SQL
Reports cases for Java and Kotlin languages when a non-safe string is passed to a method as a SQL query. It can be a cause of SQL injections. The list of methods is taken from Settings - Language Injections for SQL
, JPA QL
, Hibernate QL
and PostgreSQL
A safe object is:
a string literal, interface instance, or enum object, int and its wrapper, boolean and its wrapper, class object
a result of a call of a method, whose receiver and arguments are safe
a private field in the same file, which is assigned only with a string literal and has a safe initializer
a final field in the same file, which has a safe initializer
a local variable which is assigned from safe-objects
This field, local variable, or parameter must not be passed as arguments to methods or used as a qualifier or must be a primitive, its wrapper or immutable. Static final fields are considered as safe.
The analysis is performed only inside one file. Example:
Locating this inspection
- By ID
Can be used to locate inspection in e.g. Qodana configuration files, where you can quickly enable or disable it, or adjust its settings.
SqlSourceToSinkFlow- Via Settings dialog
Path to the inspection settings via IntelliJ Platform IDE Settings dialog, when you need to adjust inspection settings directly from your IDE.
New in 2023.2
Inspection options
Here you can find the description of settings available for the Non-safe string is used as SQL inspection, and the reference of their default values.
- Consider parameters of private methods as safe
Default: Selected
- Consider private or final fields in the same class as safe
Default: Selected
- Report strings that are too complex to verify
Not selected
- Untainted annotations
[javax.annotation.Untainted, org.checkerframework.checker.tainting.qual.Untainted]
- Safe classes
[java.lang.Boolean, boolean, kotlin.Boolean, java.lang.Class, kotlin.reflect.KClass, char, java.lang.Character, kotlin.Char, int, java.lang.Integer, kotlin.Int, long, java.lang.Long, kotlin.Long]
- Untainted methods
None
Inspection Details | |
---|---|
By default bundled with: | |
Can be installed with plugin: | Persistence Frameworks, 243.23126 |