Review

Detector:

Findbugs

Target:

project '

odata4j

' version

0.6

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-1
In File:	org/odata4j/producer/jpa/ExecuteCountQueryCommand.java
In Method:	execute(JPAContext)
Code with Finding:	class ExecuteCountQueryCommand { @Override public boolean execute(JPAContext context) { // get the jpql String jpql = context.getJPQLQuery(); // jpql -> jpa query Query tq = context.getEntityManager().createQuery(jpql); // execute jpa query Long count = (Long) tq.getSingleResult(); QueryInfo query = context.getQueryInfo(); // apply $skip. // example: http://odata.netflix.com/Catalog/Titles/$count?$skip=100 if (query != null && query.skip != null) count = Math.max(0, count - query.skip); // apply $top. // example: http://odata.netflix.com/Catalog/Titles/$count?$top=10 if (query != null && query.top != null) count = Math.min(count, query.top); context.setResult(JPAResults.count(count)); return false; } }

Hit	Rank	Desc	Type	Violations
Yes	1	SECSQLIJPA: This use of javax/persistence/EntityManager.createQuery(Ljava/lang/String;)Ljavax/persistence/Query; can be vulnerable to SQL/JPQL injection	SQL_INJECTION_JPA

Reviewer Name:

anna

Comment:

stores persistence information - no guarantee that the input is sanitized.