diff --git a/.jules/sentinel.md b/.jules/sentinel.md index c6ffeedd36..04669830e9 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -12,6 +12,11 @@ **Vulnerability:** Found JPQL injection in `ServiceCategoryController.java` where `getSelectText()` was directly concatenated into the query string for `findByJpql`. **Learning:** Controller classes in `com.divudi.bean.*` often use string building for `getSelectedItems()` when searching by name, exposing the system to injection vulnerabilities. **Prevention:** Use parameterized queries (`like :q`) and pass a `Map` to `getFacade().findByJpql(sql, params)` instead of string concatenation. + +## 2026-06-14 - JPQL Injection via String Concatenation in Controllers +**Vulnerability:** Found JPQL injection in `RoomController.java` where `getSelectText()` was directly concatenated into the query string for `findByJpql`. +**Learning:** Similar to the previous entry, controller classes (like `RoomController`) often use string building for `getSelectedItems()` when searching by name, exposing the system to injection vulnerabilities. +**Prevention:** Use parameterized queries (`like :q`) and pass a `Map` to `getFacade().findByJpql(sql, params)` instead of string concatenation. ## 2024-06-15 - Hardcoded Payment Gateway Secrets **Vulnerability:** Hardcoded payment gateway secrets (Merchant ID, API Username, API Password) were used as default values when fetching configuration settings in `PaymentGatewayController.java`. diff --git a/src/main/java/com/divudi/bean/inward/RoomController.java b/src/main/java/com/divudi/bean/inward/RoomController.java index 4c3872bdc2..d0ba65ef2a 100644 --- a/src/main/java/com/divudi/bean/inward/RoomController.java +++ b/src/main/java/com/divudi/bean/inward/RoomController.java @@ -15,6 +15,8 @@ import java.io.Serializable; import java.util.Date; import java.util.List; +import java.util.Map; +import java.util.HashMap; import javax.ejb.EJB; import javax.enterprise.context.SessionScoped; import javax.faces.component.UIComponent; @@ -44,7 +46,10 @@ public class RoomController implements Serializable { String selectText = ""; public List getSelectedItems() { - selectedItems = getFacade().findByJpql("select c from Room c where c.retired=false and (c.name) like '%" + getSelectText().toUpperCase() + "%' order by c.name"); + String sql = "select c from Room c where c.retired=false and upper(c.name) like :q order by c.name"; + Map m = new HashMap<>(); + m.put("q", "%" + getSelectText().toUpperCase() + "%"); + selectedItems = getFacade().findByJpql(sql, m); return selectedItems; }