SP 接受密钥并返回标志状态。在 Checkmarx SAST 扫描键中,表示参数在用于查询之前未经过验证。请帮助了解可以添加哪些验证才能通过漏洞测试。
Create procedure sp_name (key varchar2, v_flag out number) as
v_key varchar2(50);
v_sql clob;
Begin
If key is null then
v_flag:=-1;
Else
v_key:=sys.dbms_assert.enquote_literal(upper(trim(key)));
v_key:=replace(v_key,'''');
v_sql:=q'[select flag from tbl where key=:1]';
Execute immediate v_sql into v_flag using v_key;
End if;
Exception when no_data_found then
v_flag:=-1;
End;
我尝试了绑定变量和 dbms_assert 但仍然显示代码容易受到攻击
不需要时停止使用
EXECUTE IMMEDIATE
。程序可以简化为:
CREATE PROCEDURE sp_name (
v_key IN TBL.KEY%TYPE,
v_flag OUT TBL.FLAG%TYPE
)
AS
BEGIN
SELECT flag
INTO v_flag
FROM tbl
WHERE key=v_key;
EXCEPTION
WHEN NO_DATA_FOUND THEN
v_flag := -1;
END;
/
然后,如果您有样本数据:
CREATE TABLE tbl (key, flag) AS
SELECT 'A', 1 FROM DUAL UNION ALL
SELECT 'B', 2 FROM DUAL UNION ALL
SELECT 'C', 3 FROM DUAL UNION ALL
SELECT NULL, 4 FROM DUAL;
然后:
DECLARE
v_flag TBL.FLAG%TYPE;
BEGIN
sp_name('A', v_flag);
DBMS_OUTPUT.PUT_LINE('A: ' || v_flag);
sp_name('B', v_flag);
DBMS_OUTPUT.PUT_LINE('A: ' || v_flag);
sp_name('C', v_flag);
DBMS_OUTPUT.PUT_LINE('A: ' || v_flag);
sp_name('D', v_flag);
DBMS_OUTPUT.PUT_LINE('D: ' || v_flag);
sp_name(NULL, v_flag);
DBMS_OUTPUT.PUT_LINE('NULL: ' || v_flag);
END;
/
输出:
A: 1 B: 2 C: 3 D: -1 NULL: -1