EXTERNAL DATA IN SQL QUERIES [SAST] [M7] [CWE-89] #146
Description
hi j256
our app used your lib and we asked a third-party security company to do security checking on our app, and they reported a issue about ormlite lib,the detail is info listed below:
EXTERNAL DATA IN SQL QUERIES [SAST] [M7] [CWE-89]
Description:
Inclusion of input into raw SQL queries can potentially lead to a local SQL injection vulnerability in the mobile
application, resuting in the compromise of any sensitive information stored within databse ¦les.
The correct approach is to use prepared SQL statements beyond user's control
There is 'execSQL()' found in ¦le 'com/j256/ormlite/android/AndroidCompiledStatement.java':
[line 179: */]
[line 180: throw new UnsupportedOperationException("Method not decompiled:
com.j256.ormlite.android.AndroidCompiledStatement.execSql(android.database.sqlite.S
QLiteDatabase, java.lang.String, java.lang.String, java.lang.Object[]):int");]
[line 181: }]
[line 263: if (this.type.isOkForExecute()) {]
[line 264: return execSql(this.db, "runExecute", this.sql,
getArgArray());]
[line 265: }]
[line 285: }]
[line 286: return execSql(this.db, "runUpdate", str, getArgArray());]
[line 287: }]
There is 'rawQuery()' found in ¦le 'com/j256/ormlite/android/AndroidCompiledStatement.java':
[line 249: }]
[line 250: Cursor rawQuery = apiCompatibility.rawQuery(this.db,
str, getStringArray(), this.cancellationHook);]
[line 251: this.cursor = rawQuery;]
the ormlite version my app used is 5.1, I found the latest version was updated 2 years ago ,it seems you will not maintain this lib?