Unsanitized user input in SQL catalog configuration

• Rule ID: java_lang_external_config_control
• Languages: java
• Source: external_config_control.yml

Description

Using unsanitized user input to configure a SQL Connection's catalog can lead to security vulnerabilities. This practice allows attackers to manipulate the catalog name in the setCatalog method, potentially causing harmful or unintended actions in the application.

Remediations

• Do not use direct user input for setting the SQL database's catalog. Always sanitize or validate input before using it in your database configuration.

References

• Java SQL Connection

Associated CWE

• CWE-15: External Control of System or Configuration Setting

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_external_config_control

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_external_config_control