My Checkmarx report flags this method in my Spring Boot app as as a High severity Second Order SQL Injection:
public void updateEmployees(int storeId) {
List<Employee> employees = employeeRepo.findByStoreId(storeId);
employees.stream().forEach(e->{
e.setActive('Y');
employeeRepo.save(s);
});
}
Per Checkmarx:
... The application constructs this SQL query by embedding an untrusted string into the query without proper sanitization. The concatenated string is submitted to the database, where it is parsed and executed accordingly.
The setActive(‘Y’) line appears to be the issue.
The guidance I find on data sanitization for Spring Data JPA usage suggests using a TypedQuery, created from an entityManager instance. Something like:
String jql = "from Employee where storeId = :storeId";
TypedQuery<Account> q = em.createQuery(jql, Employee.class)
.setParameter("storeId", storeId);
In my app, however, the EntityManager is implicitly created by Spring Boot.
So in order to implement "proper sanitization" here, do I need to explicitly create the EntityManager instance (to access its createQuery method)? Or is there a more straightforward way to implement this that does not requiree explicit EntityManager instantiation?
This is a false positive, you need to contact the vendor and notify them about this case. When Hibernate generates SQL, it uses PreparedStatement. All the Entity fields that you change will be sent separately from the query - there won't be any concatenation.
Spring Data doesn't change the way Hibernate works with entities. So either this is a false positive, or you're looking at the wrong line of code.