1

Good Afternoon

I believe the usage of org.springframework.data.jpa.repository.Query in combination with org.springframework.data.repository.query.Param prevents a SQL injection above these parameters.
For example:

@Query("DELETE User c WHERE c.issuer = :issuer AND c.subject = :subject")
    void deleteByIssSub(@Param("issuer") String issuer, @Param("subject") String subject);

should be secure. Please correct me, if I am wrong.

Now I'm looking for documentation, which describes, that the usages of @Param in combination with @Query prevent SQL injection (throw string escaping). But I don't find this documentation.

Am I wrong?

T

Tim
  • 71
  • 1
  • 9

1 Answers1

1

Does this help? How to prevent SQL Injection with JPA and Hibernate?

By default

when you are using arguments ( =: )

and

when you are setting parameters ( .setParameter("issuer", issuer) )

in your code reduces changes of SQL injection to 0, because you are building a query through your code, you are not allowing a user to send any query to the database in altered form, the only thing that he can send are arguments, and only expected arguments.

https://mkyong.com/hibernate/hibernate-parameter-binding-examples/

As long you avoid building dynamic queries with String concatenation you will be safe, but if you really need to use dynamic queries, you need to use Criteria API instead.

EDIT: No one can guarantee that for you because and I quote From the OWASP page: "Hibernate does not grant immunity to SQL Injection, one can misuse the API as they please." So no one will say that it is 100% bulletproof because people can code and use API as it was not supposed to be used or designed. https://owasp.org/www-community/Hibernate#Security_Implications

Who is OWASP? The OWASP® Foundation works to improve the security of software through its community-led open-source software projects, hundreds of chapters worldwide, tens of thousands of members, and by hosting local and global conferences.

No matter how much a car might be safe, the manufacturer will never say "our car is uncrashable", they will just state that it is really safe. The same goes for security. Nothing is 100% safe with the human factor involved.

zawarudo
  • 1,907
  • 2
  • 10
  • 20
  • Thank you, but this isn't what I'm looking for. I'm looking for a documentation or an API, where I can see that @ Query and @ Param is safe to use. Something like a proof. Not just a answer in a forum or a reference to the similar setParameter method... I found the documentation saying, that setParameter is save: https://www.baeldung.com/sql-injection#1parameterized-queries – Tim Apr 09 '21 at 12:24
  • I will update my answer just to provide you more info of why you cannot find any proof in the docs. Also, Baeldung is not documentation, it is a site where programmers with a green light from moderators post their examples in exchange for cash. – zawarudo Apr 09 '21 at 17:03
  • Okay thank you. I understand your point. I was thinking that something like this must be the reason for the missing information. I don't need a promise, that everything is safe, but I would have a good feeling, when I find a point, where somebody wrote that they know the issue of SQL Injection and they build in some mechanisms to prevent it. Otherwise I would think the author doesn't care about SQL Injection and passes that responsibility to the programmer, who uses the library. – Tim Apr 12 '21 at 14:47