Menu
Do the parameters of a string passed to the @Query annotation, for Spring, get treated as pure data as they would if, for example, you were using the PreparedStatement class or any method meant to prevent SQL injection?
final String MY_QUERY = "SELECT * FROM some_table WHERE some_column = ?1";
@Query(value=MY_QUERY, nativeQuery = true)
List<SomeEntity> findResults(String potentiallyMaliciousUserInput);
Bottom Line: Is the code above susceptible to SQL injection?
973
The @Query annotation can only be used to annotate repository interface methods. The call of the annotated methods will trigger the execution of the statement found in it, and their usage is pretty straightforward. The @Query annotation supports both native SQL and JPQL.
Spring Data JPA is vulnerable to SQL Injection. spring-data-jpa is vulnerable to SQL injection. When Sort is used together with a String query, it does not check the path for Sort instances that can be created from untrustable sources.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements.
Spring Data JPA @Query The @Query annotation declares finder queries directly on repository methods. While similar @NamedQuery is used on domain classes, Spring Data JPA @Query annotation is used on Repository interface. This frees the domain classes from persistence specific information, which is a good thing.
It looks like Spring Data's @Query is just a wrapper around JPA
See this SO answer: Are SQL injection attacks possible in JPA?
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
