Patrick.Sy/spring-petclinic
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-petclinic.git synced 2025-07-18 05:45:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix

Browse source
This commit is contained in:
GRUPOLKS\m.garcia 2025-03-31 13:59:09 +02:00
parent d33065b201
commit 1ef34a36cc
1 changed files with 13 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/main/java/org/springframework/samples/petclinic/owner/Owner.java
View file

@ -173,16 +173,22 @@ public class Owner extends Person {
} }
/** /**
* WARNING: Este método construye una consulta SQL directamente a partir de datos * Vulnerable method: constructs a SQL query directly from user input.
* controlados por el usuario, lo cual es inseguro y susceptible a inyección SQL. *
* Issue: Change this code to not construct SQL queries directly from user-controlled * SONAR ISSUE: Change this code to not construct SQL queries directly from
* data. * user-controlled data. Database queries should not be vulnerable to injection
* attacks (security:S3649).
*
* In a real scenario, use parameterized queries or prepared statements.
*/ */
public String generateUnsafeQuery(String userInput) { public String generateUnsafeQuery(String userInput) {
// Construcción directa de la consulta SQL (vulnerable a inyección) // Vulnerable: the user-controlled input is concatenated directly into the SQL
// query.
String query = "SELECT * FROM users WHERE username = '" + userInput + "'"; String query = "SELECT * FROM users WHERE username = '" + userInput + "'";
// Simulación de ejecución de la consulta // Note: Instead of logging to System.out, a proper logger should be used in
System.out.println("Ejecutando query insegura: " + query); // production.
// However, in this example we intentionally avoid System.out to focus on the SQL
// injection issue.
return query; return query;
} }