Skip to content

Potential fix for code scanning alert no. 38: Query built from user-controlled sources #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
davewichers wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Potential fix for code scanning alert no. 38: Query built from user-controlled sources #9

davewichers wants to merge 2 commits into from

Conversation

@davewichers
Copy link
Member

@davewichers davewichers commented Feb 4, 2026

Potential fix for https://github.com/aspectsecurity/TestCodeQL/security/code-scanning/38

In general, the problem is solved by using parameterized queries (prepared statements) instead of building SQL with string concatenation. User input should be bound as parameters so the JDBC driver sends data values separately from the SQL code, preventing injection.

For this specific code, the best fix without changing observable functionality is to (1) change the SQL string to use a placeholder (?) for the password instead of concatenating param, and (2) call a parameterized Spring JDBC method that binds param to that placeholder. JdbcTemplate already supports parameter binding, so we can reuse it rather than writing custom logic. Since the static helper DatabaseHelper.JDBCtemplate is used directly, we only need to adjust the sql definition and the call to queryForRowSet at lines 47–50.

Concretely in src/main/java/org/owasp/benchmark/testcode/Benchmark00026.java:

  • Replace line 47’s concatenated string with a parameterized query:
    String sql = "SELECT * from USERS where USERNAME='foo' and PASSWORD=?";
  • Replace line 50’s call with one that supplies parameters:
    queryForRowSet(sql, param);

No new imports are required, because we still reference DatabaseHelper.JDBCtemplate and SqlRowSet by fully qualified name.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

davewichers and others added 2 commits February 4, 2026 13:04
@davewichers @github-advanced-security
Potential fix for code scanning alert no. 38: Query built from user-c…
91c62e0 
…ontrolled sources

Fix SQL in Benchmark00026 via JDBCtemplate.queryForRowSet()

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@davewichers
Fix format.
ba120be
@davewichers davewichers marked this pull request as ready for review February 4, 2026 19:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davewichers