mcp-server-semgrep/semgrep-rules/java/lang/security/audit/formatted-sql-string.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: formatted-sql-string
  metadata:
    cwe:
    - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
    owasp:
    - A01:2017 - Injection
    - A03:2021 - Injection
    source-rule-url: https://find-sec-bugs.github.io/bugs.htm#SQL_INJECTION
    asvs:
      section: 'V5: Validation, Sanitization and Encoding Verification Requirements'
      control_id: 5.3.5 Injection
      control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v53-output-encoding-and-injection-prevention-requirements
      version: '4'
    references:
    - https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
    - https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps
    - https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement
    category: security
    technology:
    - java
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: HIGH
    impact: MEDIUM
    confidence: MEDIUM
  options:
    taint_assume_safe_numbers: true
    taint_assume_safe_booleans: true
  message: >-
    Detected a formatted string in a SQL statement. This could lead to SQL
    injection if variables in the SQL statement are not properly sanitized.
    Use a prepared statements (java.sql.PreparedStatement) instead. You
    can obtain a PreparedStatement using 'connection.prepareStatement'.
  mode: taint
  pattern-sources:
  - patterns:
    - pattern-either:
      - pattern: |
          (HttpServletRequest $REQ)
      - patterns:
        - pattern-inside: |
            $ANNOT $FUNC (..., $INPUT, ...) {
              ...
            }
        - pattern: (String $INPUT)
    - focus-metavariable: $INPUT
    label: INPUT
  - patterns:
    - pattern-either:
      - pattern: $X + $INPUT
      - pattern: $X += $INPUT
      - pattern: $STRB.append($INPUT)
      - pattern: String.format(..., $INPUT, ...)
      - pattern: String.join(..., $INPUT, ...)
      - pattern: (String $STR).concat($INPUT)
      - pattern: $INPUT.concat(...)
      - pattern: new $STRB(..., $INPUT, ...)
    label: CONCAT
    requires: INPUT
  pattern-propagators:
    - pattern: (StringBuffer $S).append($X)
      from: $X
      to: $S
    - pattern: (StringBuilder $S).append($X)
      from: $X
      to: $S
  pattern-sinks:
  - patterns:
    - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE *$/" ...>)
    - pattern-not: $S.$SQLFUNC(<... "=~/.*TABLE %s$/" ...>)
    - pattern-either:
      - pattern: (Statement $S).$SQLFUNC(...)
      - pattern: (PreparedStatement $P).$SQLFUNC(...)
      - pattern: (Connection $C).createStatement(...).$SQLFUNC(...)
      - pattern: (Connection $C).prepareStatement(...).$SQLFUNC(...)
      - pattern: (EntityManager $EM).$SQLFUNC(...)
    - metavariable-regex:
        metavariable: $SQLFUNC
        regex: execute|executeQuery|createQuery|query|addBatch|nativeSQL|create|prepare
    requires: CONCAT
  pattern-sanitizers:
  - patterns:
    - pattern: (CriteriaBuilder $CB).$ANY(...)
  severity: ERROR
  languages:
  - java