-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DR-112 - New Feature #29
base: main
Are you sure you want to change the base?
Conversation
} | ||
public void save(Sale sale) { | ||
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")"; | ||
jdbcTemplate.update(sql); |
Check failure
Code scanning / CodeQL
Query built from user-controlled sources High
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 2 months ago
To fix the problem, we need to replace the string concatenation in the save
method with a parameterized query using PreparedStatement
. This will ensure that user input is properly escaped and prevent SQL injection attacks.
- Change the SQL query construction in the
save
method to use placeholders (?
) for the values. - Use
jdbcTemplate.update
with the SQL query and the values from theSale
object as parameters.
-
Copy modified lines R33-R36
@@ -32,6 +32,6 @@ | ||
|
||
public void save(Sale sale) { | ||
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")"; | ||
jdbcTemplate.update(sql); | ||
} | ||
public void save(Sale sale) { | ||
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)"; | ||
jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount()); | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 suggestions.
Files not reviewed (1)
- pom.xml: Language not supported
Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more
e.printStackTrace(); // log any other exceptions | ||
} | ||
public void save(Sale sale) { | ||
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The new save method introduces a potential SQL injection vulnerability. Use parameterized queries to prevent SQL injection.
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES ('" + sale.getItem() + "', " + sale.getQuantity() + ", " + sale.getAmount() + ")"; | |
String sql = "INSERT INTO SALES (item, quantity, amount) VALUES (?, ?, ?)"; | |
jdbcTemplate.update(sql, sale.getItem(), sale.getQuantity(), sale.getAmount()); |
Copilot is powered by AI, so mistakes are possible. Review output carefully before use.
} catch (Exception e) { | ||
e.printStackTrace(); // log any other exceptions | ||
} | ||
public void save(Sale sale) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The removal of the null check for the sale object might lead to a NullPointerException. Re-add the null check for the sale object.
Copilot is powered by AI, so mistakes are possible. Review output carefully before use.
This pull request includes changes to the GitHub Actions workflow file
.github/workflows/ci.yml
,pom.xml
,src/main/java/net/codejava/SalesDAO.java
, andsrc/main/resources/static/js/styles.js
. The changes mainly involve the renaming and simplification of debugging steps, addition of JavaScript as a language in the CodeQL analysis, downgrading of CodeQL and Autobuild actions, modification of the test splitting glob pattern, removal of the publish-test-results job, and changes in the save method inSalesDAO.java
. Additionally, a new dependency was added topom.xml
and the color scheme instyles.js
was updated.CI Workflow modifications:
.github/workflows/ci.yml
: Renamed thessh_debug_enabled
input todebug_enabled
and updated its description..github/workflows/ci.yml
: Added 'javascript' to thelanguage
matrix..github/workflows/ci.yml
: Downgraded the version ofgithub/codeql-action/init
,github/codeql-action/autobuild
, andgithub/codeql-action/analyze
from v3 to v2. [1] [2].github/workflows/ci.yml
: Updated theif
condition in theSetup tmate session
step to use the newdebug_enabled
input..github/workflows/ci.yml
: Removed thepublish-test-results
job..github/workflows/ci.yml
: Removed thedebug
input from thewith
section of thedeploy-to-aws
job.Addition of a new dependency:
pom.xml
: Added a new dependency forspring-security-core
.Changes in the
SalesDAO.java
file:src/main/java/net/codejava/SalesDAO.java
: Simplified thesave
method by removing the checks for duplicate keys and null values, and changed the SQL statement.Changes in the
styles.js
file:src/main/resources/static/js/styles.js
: Changed the color of headers when the search feature is enabled.