User input in SQL Connection setCatalog detected

Description

It is bad security practice to use unsanitized user input when configuring a SQL Connection's catalog. This could allow an attacker to provide their own catalog name to the setCatalog method call, resulting in unexpected or malicious application behaviour.

Remediations

❌ Avoid Direct User Input

Do not use user-supplied information when setting the catalog for your SQL database

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_external_config_control

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_external_config_control

Ready to take the next step? Learn more about Bearer Cloud.