Patrick.Sy/spring-petclinic
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-petclinic.git synced 2025-07-17 21:35:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix

Browse source
This commit is contained in:
GRUPOLKS\m.garcia 2025-03-31 13:59:09 +02:00
parent d33065b201
commit 1ef34a36cc
1 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/main/java/org/springframework/samples/petclinic/owner/Owner.java
View file

@ -173,16 +173,22 @@ public class Owner extends Person {
}
/**
* WARNING: Este método construye una consulta SQL directamente a partir de datos
* controlados por el usuario, lo cual es inseguro y susceptible a inyección SQL.
* Issue: Change this code to not construct SQL queries directly from user-controlled
* data.
* Vulnerable method: constructs a SQL query directly from user input.
*
* SONAR ISSUE: Change this code to not construct SQL queries directly from
* user-controlled data. Database queries should not be vulnerable to injection
* attacks (security:S3649).
*
* In a real scenario, use parameterized queries or prepared statements.
*/
public String generateUnsafeQuery(String userInput) {
// Construcción directa de la consulta SQL (vulnerable a inyección)
// Vulnerable: the user-controlled input is concatenated directly into the SQL
// query.
String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
// Simulación de ejecución de la consulta
System.out.println("Ejecutando query insegura: " + query);
// Note: Instead of logging to System.out, a proper logger should be used in
// production.
// However, in this example we intentionally avoid System.out to focus on the SQL
// injection issue.
return query;
}