diff --git a/rules/S8225/java/metadata.json b/rules/S8225/java/metadata.json new file mode 100644 index 00000000000..0a0525a5c1d --- /dev/null +++ b/rules/S8225/java/metadata.json @@ -0,0 +1,31 @@ +{ + "title": "Date parameters in database operations should use proper types and PreparedStatement methods", + "type": "VULNERABILITY", + "status": "ready", + "remediation": { + "func": "Constant/Issue", + "constantCost": "10 min" + }, + "tags": [ + "sql", + "database", + "injection", + "jdbc" + ], + "defaultSeverity": "Blocker", + "ruleSpecification": "RSPEC-8225", + "sqKey": "S8225", + "scope": "Main", + "defaultQualityProfiles": [ + "Sonar way" + ], + "quickfix": "unknown", + "code": { + "impacts": { + "SECURITY": "BLOCKER", + "RELIABILITY": "BLOCKER", + "MAINTAINABILITY": "HIGH" + }, + "attribute": "CONVENTIONAL" + } +} \ No newline at end of file diff --git a/rules/S8225/java/rule.adoc b/rules/S8225/java/rule.adoc new file mode 100644 index 00000000000..6776b55e04f --- /dev/null +++ b/rules/S8225/java/rule.adoc @@ -0,0 +1,52 @@ +This rule raises an issue when date or datetime values are inserted into databases using string concatenation in SQL queries or when using `setString()` method with PreparedStatement for date parameters. + +== Why is this an issue? + +Using string operations for date values in database operations creates data integrity problems. + +String-based date handling bypasses proper type validation. When dates are treated as strings, invalid date values can reach the database without validation, potentially causing silent data corruption or insertion failures. + +Using `setString()` for date parameters defeats the type safety that PreparedStatement provides. The JDBC driver cannot validate that the string represents a valid date, allowing malformed data to pass through. + +PreparedStatement offers proper type-safe methods for date handling: `setDate()` for SQL DATE columns, `setTime()` for SQL TIME columns, and `setTimestamp()` for SQL TIMESTAMP columns. These methods ensure proper validation and type conversion. + +=== What is the potential impact? + +Data integrity issues may result in incorrect date storage, leading to business logic errors, reporting inaccuracies, or application failures when processing date-based operations. Invalid dates may be silently accepted, causing downstream processing problems. + +== How to fix it + +Parse and validate date strings using java.sql.Date for database operations using setDate(). + +=== Code examples + +==== Noncompliant code example + +[source,java,diff-id=1,diff-type=noncompliant] +---- +String dateStr = "2010-05-01"; +PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)"); +pstmt.setString(1, dateStr); // Noncompliant +pstmt.executeUpdate(); +---- + +==== Compliant solution + +[source,java,diff-id=1,diff-type=compliant] +---- +String dateStr = "2010-05-01"; +java.sql.Date sqlDate = java.sql.Date.valueOf(dateStr); +PreparedStatement pstmt = connection.prepareStatement("INSERT INTO events (event_date) VALUES (?)"); +pstmt.setDate(1, sqlDate); +pstmt.executeUpdate(); +---- + +== Resources + +=== Documentation + + * Java SE Documentation - java.sql.PreparedStatement - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/PreparedStatement.html[Complete API documentation for PreparedStatement methods including date setters] + + * Java SE Documentation - java.sql.Date - https://docs.oracle.com/en/java/javase/11/docs/api/java.sql/java/sql/Date.html[Documentation for java.sql.Date class used for SQL DATE values] + + * Java SE Documentation - LocalDate - https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/time/LocalDate.html[Modern Java API for date handling without time zone information] diff --git a/rules/S8225/metadata.json b/rules/S8225/metadata.json new file mode 100644 index 00000000000..2c63c085104 --- /dev/null +++ b/rules/S8225/metadata.json @@ -0,0 +1,2 @@ +{ +}