Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

scala.inject.scala_inject_rule_custominjection

Severity

low

Resource

Inject

Language

Scala

Description

The method identified is susceptible to injection. The input should be validated and properly escaped.

Rationale

The method identified is susceptible to injection. The input should be validated and properly escaped.

The following code illustrates a vulnerable pattern detected by this rule:

def danger3(dataSource: DataSource, input: String): Unit = {
  val connection = dataSource.getConnection
  try {
    val statement = connection.createStatement
    try {
      val resultSet =
        // VULNERABLE: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
        statement.executeQuery("select * from Users where name = " + input)
      System.out.println(resultSet)
    } catch {
      case _: Throwable =>
    } finally if (statement != null) statement.close()
  } catch {
    case _: Throwable =>
  }
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

References

CWE-89
OWASP Top 10 2021 - A03 : Injection.