sqlsecuritycode-injectionowaspesapi

Incompatible error while using owasp ESAPI encodeForSQL method to protect SQL injection with Codec MYSQL


Trying to deal with sql injection vulnerability using owasp ESAPI encodeForSQL method to protect SQL injection with Codec MYSQL with the following code

here parameter string value is the sql to be mitigatetd

private String mitigateSQLI(String value) {

    Encoder instance = ESAPI.encoder();
    Codec c = new MySQLCodec(MySQLCodec.Mode.STANDARD);

 return instance.encodeForSQL(c, value);

service build failed with incompatible types: org.owasp.esapi.codecs.MySQLCodec cannot be converted to org.owasp.esapi.codecs.Codec // at return statement

Tried altering Codec instance as below

private String mitigateSQLI(String value) {

    Encoder instance = ESAPI.encoder();
    MySQLCodec c = new MySQLCodec(MySQLCodec.Mode.STANDARD);

 return instance.encodeForSQL(c, value);

doesn't help with incompatibility at return statement though

Note: mavn dependency used for Codec

<!-- https://mvnrepository.com/artifact/org.owasp.esapi/esapi -->
<dependency>
    <groupId>org.owasp.esapi</groupId>
    <artifactId>esapi</artifactId>
    <version>2.5.2.0</version>
</dependency>

Error logs:

.java:[90,34] incompatible types: org.owasp.esapi.codecs.MySQLCodec cannot be converted to org.owasp.esapi.codecs.Codec
14:53:33  [INFO] 1 error

 [INFO] ------------------------------------------------------------------------
14:53:33  [INFO] BUILD FAILURE
14:53:33  [INFO] ------------------------------------------------------------------------
14:53:33  [INFO] Total time:  01:59 min
14:53:33  [INFO] Finished at: 2023-07-13T09:23:32Z
14:53:33  [INFO] ------------------------------------------------------------------------

 Compilation failure

ScriptExecutor.java:[90,34] incompatible types: org.owasp.esapi.codecs.MySQLCodec cannot be converted to org.owasp.esapi.codecs.Codec
14:53:33  [ERROR] 
14:53:33  [ERROR] -> [Help 1]
14:53:33  [ERROR]

Solution

  • That may be because Codec is actually Codec<Character>. (See https://javadoc.io/static/org.owasp.esapi/esapi/2.5.2.0/org/owasp/esapi/codecs/MySQLCodec.html for details.)

    The way we have it in our JUnit tests, which seems to work, would be to change:

            MySQLCodec c = new MySQLCodec(MySQLCodec.Mode.STANDARD);
    

    to:

            Codec c = new MySQLCodec(MySQLCodec.Mode.STANDARD);
    

    Try that and see if it works.