spotbug 总结

Public enum method unconditionally sets its field

枚举类中set方法私有是一个安全的写法,如果共有可能会被恶意代码篡改

尽管可变枚举字段可能用于延迟初始化,但将它们暴露于外部世界是一种不好的做法。请考虑删除此方法或将其声明为包私有。

 

Potential JDBC Injection

代码可能被SQL注入

 

try (PreparedStatement statMent = conn.prepareStatement(sql)) {
                ResultSet rs = statMent.executeQuery();
                if (rs != null) {
                    while (rs.next()) {
                        String createTableDdl = rs.getString(2);
                        int firstIndex = createTableDdl.indexOf("(");
                        int lastIndex = createTableDdl.lastIndexOf(")");
                        String temp = createTableDdl.substring(firstIndex + 1, lastIndex);
                        String[] lines = temp.split("\n");
                        for (String line : lines) {
                            // if (line.contains("UNIQUE KEY") || line.contains("unique key")) {
                            // 唯一性仅支持unique key来约束,不支持联合主键来约束
                            // primary key也是一种unique key
                            if (line.toUpperCase().contains("UNIQUE KEY")) {
                                int lineFirstIndex = line.indexOf("(");
                                int lineLastIndex = line.lastIndexOf(")");
                                String lineTemp = line.substring(lineFirstIndex + 1, lineLastIndex);
                                String[] columnSplit = lineTemp.split(",");
                                // 注意索引顺序,否则执行不成功
                                List<String> ukGroup = Lists.newArrayList();
                                for (String columnTemp : columnSplit) {
                                    int columnNameFirstIndex = columnTemp.indexOf("`");
                                    int columnNameLastIndex = columnTemp.lastIndexOf("`");
                                    if (columnNameFirstIndex == -1 || columnNameLastIndex == -1) {
                                        // 判断含有UNIQUE KEY字符串可能会误判,这里再进一步判断一定要包含``
                                        ukGroup.add(columnTemp);
                                        continue;
                                    }
                                    String columnName = columnTemp.substring(columnNameFirstIndex + 1, columnNameLastIndex);
                                    ukGroup.add(columnName);
                                }
                                UniqueKey uniqueKey = new UniqueKey();
                                uniqueKey.setUkColumnNameList(ukGroup);
                                uksList.add(uniqueKey);
                            }
                        }
                    }
                }

            }
View Code

SQL查询中包含的输入值需要安全地传递。预处理语句中的绑定变量可用于轻松降低SQL注入的风险。

有风险的写法

Connection conn = [...];
Statement stmt = con.createStatement();
ResultSet rs = stmt.executeQuery("update COFFEES set SALES = "+nbSales+" where COF_NAME = '"+coffeeName+"'");

解决办法 :

Connection conn = [...];
conn.prepareStatement("update COFFEES set SALES = ? where COF_NAME = ?");
updateSales.setInt(1, nbSales);
updateSales.setString(2, coffeeName);

Reliance on default encoding

依赖系统默认编码

result = RandomStringUtils.randomAscii(size).getBytes();
result = RandomStringUtils.randomAscii(size).getBytes("UTF_8");

Method may fail to clean up stream or resource

一些stream或resource没有关闭的风险

解决方法:try-with-resource

posted @ 2021-05-07 14:43  hulian425  阅读(493)  评论(0编辑  收藏  举报