我有这个 ProductDao.java 类:
@Repository(value = "ProductDao")
public class ProductDao implements IProductDao {
public static final String LABEL_LIKE = "labellike";
public static final String NUM_CODE = "n_code";
public static final String LABEL = "label";
public static final String STATUS = "status";
public Query createQuery(String query) {
return sessionFactory.getCurrentSession().createQuery(query);
}
private StringBuilder paginatedListMasterProductSelectQuery() {
StringBuilder select = new StringBuilder();
select.append("SELECT distinct mp ");
return select;
}
private StringBuilder paginatedListMasterProductCountQuery() {
StringBuilder count = new StringBuilder();
count.append("SELECT Count (distinct mp) ");
return count;
}
private StringBuilder paginatedListMasterProductJoinQuery(CatalogFilterVO catalogFilter) {
StringBuilder join = new StringBuilder();
join.append(" FROM MasterProduct AS mp");
join.append(" JOIN mp.products AS p");
if (StringUtils.isNotEmpty(catalogFilter.getNomenclatureCode())
|| getSortFieldLevel(catalogFilter.getSortField()) != 0) {
join.append(" JOIN mp.nomenclature AS n");
}
join.append(" LEFT JOIN p.family AS f");
if ("productLifeVO".equals(catalogFilter.getSortField())) {
join.append(" LEFT JOIN mp.productLife AS pl ");
}
return join;
}
private StringBuilder paginatedListMasterProductClauseQuery(CatalogFilterVO catalogFilter) {
StringBuilder clause = new StringBuilder();
// WHERE
clause.append(" WHERE 1=1");
if(StringUtils.isNotEmpty(catalogFilter.getNomenclatureCode()) ){
clause.append(" AND n.value LIKE :n_code");
}
if (StringUtils.isNotEmpty(catalogFilter.getTextSearch())) {
clause.append(" AND (mp.partnerProductReference like :labellike");
clause.append(" OR mp.name like :labellike");
clause.append(" OR mp.shortDescription like :labellike");
clause.append(" OR f.keywords like :labellike");
clause.append(")");
}
if(StringUtils.isNotEmpty(catalogFilter.getProductStatus()) ) {
clause.append(" AND p.status = :status ");
}
return clause;
}
private StringBuilder paginatedListMasterProductOrderByNomenClature(CatalogFilterVO catalogFilter) {
StringBuilder orderByP2 = new StringBuilder();
if (NOMENCLATURE_ONE.equalsIgnoreCase(catalogFilter.getSortField())) {
orderByP2.append(" ORDER BY n.parent.parent.parent.parent.label");
}
if (NOMENCLATURE_TWO.equalsIgnoreCase(catalogFilter.getSortField())) {
orderByP2.append(" ORDER BY n.parent.parent.parent.label");
}
if (NOMENCLATURE_THREE.equalsIgnoreCase(catalogFilter.getSortField())) {
orderByP2.append(" ORDER BY n.parent.parent.label");
}
if (NOMENCLATURE_FOUR.equalsIgnoreCase(catalogFilter.getSortField())) {
orderByP2.append(" ORDER BY n.parent.label");
}
if (NOMENCLATURE_FIVE.equalsIgnoreCase(catalogFilter.getSortField())) {
orderByP2.append(" ORDER BY n.label");
}
orderByP2.append(" ").append(catalogFilter.getSortOrder());
if (StringUtils.isNotEmpty(catalogFilter.getTextSearch())) {
orderByP2.append(", ");
}
return orderByP2;
}
private StringBuilder paginatedListMasterProductOrderByTextSearch(CatalogFilterVO catalogFilter) {
StringBuilder orderByTxtSearch = new StringBuilder();
if (StringUtils.isEmpty(catalogFilter.getSortField())) {
orderByTxtSearch.append(" ORDER BY ");
}
orderByTxtSearch.append(" CASE WHEN (mp.partnerProductReference like :labellike) THEN 1");
orderByTxtSearch.append(" WHEN (mp.name like :labellike) THEN 2");
orderByTxtSearch.append(" WHEN (f.keywords like :labellike) THEN 3");
orderByTxtSearch.append(" WHEN (mp.shortDescription like :labellike) THEN 4");
orderByTxtSearch.append(" END");
orderByTxtSearch.append(" , CASE WHEN (instr(mp.name, :label)>0) THEN instr(mp.name, :label) END ");
return orderByTxtSearch;
}
private StringBuilder paginatedListMasterProductOrderByAllFieldQuery(CatalogFilterVO catalogFilter) {
StringBuilder orderBy = new StringBuilder();
if (StringUtils.isNotEmpty(catalogFilter.getSortField())) {
if (get(catalogFilter.getSortField()) != null) {
orderBy.append(paginatedListMasterProductOrderByNameAndPubliStock(catalogFilter));
} else if (getSortFieldLevel(catalogFilter.getSortField()) != 0) {
orderBy.append(paginatedListMasterProductOrderByNomenClature(catalogFilter));
}
}
if (StringUtils.isNotEmpty(catalogFilter.getTextSearch())) {
orderBy.append(paginatedListMasterProductOrderByTextSearch(catalogFilter));
}
return orderBy;
}
private void setParameterQuery(Query query, Query countQuery,CatalogFilterVO catalogFilter) {
// SET PARAMETERS
if (StringUtils.isNotEmpty(catalogFilter.getTextSearch())) {
query.setParameter(LABEL_LIKE, '%' + catalogFilter.getTextSearch() + '%');
query.setParameter(LABEL, catalogFilter.getTextSearch());
countQuery.setParameter(LABEL_LIKE, '%' + catalogFilter.getTextSearch() + '%');
}
if (StringUtils.isNotEmpty(catalogFilter.getNomenclatureCode())) {
query.setParameter(NUM_CODE, catalogFilter.getNomenclatureCode() + "%");
countQuery.setParameter(NUM_CODE, catalogFilter.getNomenclatureCode() + "%");
}
if (StringUtils.isNotEmpty(catalogFilter.getProductStatus())) {
if (catalogFilter.getProductStatus().equals(Product.ProductStatus.ACTIVE.toString())) {
query.setParameter(STATUS, Product.ProductStatus.ACTIVE);
countQuery.setParameter(STATUS, Product.ProductStatus.ACTIVE);
}else {
query.setParameter(STATUS, Product.ProductStatus.INACTIVE);
countQuery.setParameter(STATUS, Product.ProductStatus.INACTIVE);
}
}
}
public MasterProduct checkDuplicateOrangeReference(String orangeReference) {
StringBuilder sb = new StringBuilder();
sb.append("SELECT mp ");
sb.append("FROM MasterProduct As mp ");
sb.append("WHERE mp.orangeProductReference =:orangeReference ");
Query query = createQuery(sb.toString());
query.setParameter("orangeReference", orangeReference);
return find(query);
}
@Override
public List<MasterProduct> getAllMasterProductsByNomenclatureCode(CatalogFilterVO catalogFilter) {
StringBuilder select = paginatedListMasterProductSelectQuery();
StringBuilder join = paginatedListMasterProductJoinQuery(catalogFilter);
StringBuilder clause = paginatedListMasterProductClauseQuery(catalogFilter);
StringBuilder orderBy = paginatedListMasterProductOrderByAllFieldQuery(catalogFilter);
StringBuilder count = paginatedListMasterProductCountQuery();
String queryString = new StringBuilder().append(select).append(join).append(clause).append(orderBy).toString();
Query query = getSessionFactory().getCurrentSession().createQuery(queryString);
Query countQuery = createQuery(new StringBuffer().append(count).append(join).append(clause).toString());
setParameterQuery(query, countQuery, catalogFilter);
return query.list();
}
}
On line Query query = getSessionFactory().getCurrentSession().createQuery(queryString);
我遇到了这个sonarqube漏洞问题:This use of org/hibernate/Session.createQuery(Ljava/lang/String;)Lorg/hibernate/Query;可能容易受到 SQL/HQL 注入(使用 Hibernate)
如何修复我的漏洞?我正在使用 hibernate 参数绑定并在 setParameterQuery 中设置值。
怎么了?
这是一个公共方法,它将 String 参数作为查询,这就是它抱怨的原因。
您需要将查询限制为不能从外部自由选择的内容。