# Use Parameterized JPA Query

# Description

JPA defines the Java Persistence Query Language (JPQL) (opens new window). A JPQL query string may be constructed by concatenating string literals with user defined expressions (e.g., variables, method invocations, user input, etc). Such a query string concatenation in JPQL may cause the same kind of vulnerability to injection attacks as a native SQL query string because the user input may contain fragments that can be interpreted as JPQL code.
This rule looks for queries of type javax.persistence.Query (opens new window) which are created by EntityManager::createQuery (opens new window). The vulnerable concats of the JPQL query strings are parameterized, so that they can only be considered as data and not as code.

Requirements

Activation of this rule requires the following classpath entries to be present:

# Benefits

Prevents SQL injections when using the Java Persistence API (JPA).

# Tags

# Code Changes

# Using Query get single result

Pre

String orderId = "1 OR 1 = 1";
EntityManager entityManager = getEntityManager();
Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id = " + orderId);
Object singleResult = jpqlQuery.getSingleResult();

Post

String orderId = "1 OR 1 = 1";
EntityManager entityManager = getEntityManager();
Query jpqlQuery = entityManager.createQuery("Select order from Orders order where order.id =  ?1");
jpqlQuery.setParameter(1, orderId);
Object singleResult = jpqlQuery.getSingleResult();

# Using Query get result list

Pre

String orderId1 = "1000000000";
String orderId2 = "1 OR 1 = 1";
EntityManager entityManager = getEntityManager();
Query jpqlQuery = entityManager.createQuery(
		"Select order from Orders order where order.id = " + orderId1 + " or order.id = " + orderId2);
List resultList = jpqlQuery.getResultList();

Post

String orderId1 = "1000000000";
String orderId2 = "1 OR 1 = 1";
EntityManager entityManager = getEntityManager();
Query jpqlQuery = entityManager
		.createQuery("Select order from Orders order where order.id =  ?1" + " or order.id =  ?2");
jpqlQuery.setParameter(1, orderId1);
jpqlQuery.setParameter(2, orderId2);
List resultList = jpqlQuery.getResultList();

Use a Java Refactoring Tool

No license required

You can review this refactoring on your code without a license by installing jSparrow to your Eclipse IDE. Install the plug-in from Eclipse IDE: Eclipse Marketplace.

System-wide Refactoring

Do you want to automate this refactoring (and many more) to your system-wide code? The automatic application of this system-wide refactoring can be unlocked by acquiring your jSparrow license.

a drawn cute bird pointing at a graph that shows positive results

# Properties

Property Value
Rule ID UseParameterizedJPAQuery
First seen in jSparrow version 3.18.0
Minimum Java version 1.1
Remediation cost 10 min
Links