From c14ade0cdb4205d0f3e5f0519f5a40b0ad07629c Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 14 Jun 2026 18:13:29 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?= =?UTF-8?q?=20Fix=20JPQL=20injection=20in=20RoomController?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: manupawickramasinghe <73810867+manupawickramasinghe@users.noreply.github.com> --- .jules/sentinel.md | 5 +++++ src/main/java/com/divudi/bean/inward/RoomController.java | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index 77246ca8679..413d63b0826 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -12,3 +12,8 @@ **Vulnerability:** Found JPQL injection in `ServiceCategoryController.java` where `getSelectText()` was directly concatenated into the query string for `findByJpql`. **Learning:** Controller classes in `com.divudi.bean.*` often use string building for `getSelectedItems()` when searching by name, exposing the system to injection vulnerabilities. **Prevention:** Use parameterized queries (`like :q`) and pass a `Map` to `getFacade().findByJpql(sql, params)` instead of string concatenation. + +## 2026-06-14 - JPQL Injection via String Concatenation in Controllers +**Vulnerability:** Found JPQL injection in `RoomController.java` where `getSelectText()` was directly concatenated into the query string for `findByJpql`. +**Learning:** Similar to the previous entry, controller classes (like `RoomController`) often use string building for `getSelectedItems()` when searching by name, exposing the system to injection vulnerabilities. +**Prevention:** Use parameterized queries (`like :q`) and pass a `Map` to `getFacade().findByJpql(sql, params)` instead of string concatenation. diff --git a/src/main/java/com/divudi/bean/inward/RoomController.java b/src/main/java/com/divudi/bean/inward/RoomController.java index 4c3872bdc26..d0ba65ef2a5 100644 --- a/src/main/java/com/divudi/bean/inward/RoomController.java +++ b/src/main/java/com/divudi/bean/inward/RoomController.java @@ -15,6 +15,8 @@ import java.io.Serializable; import java.util.Date; import java.util.List; +import java.util.Map; +import java.util.HashMap; import javax.ejb.EJB; import javax.enterprise.context.SessionScoped; import javax.faces.component.UIComponent; @@ -44,7 +46,10 @@ public class RoomController implements Serializable { String selectText = ""; public List getSelectedItems() { - selectedItems = getFacade().findByJpql("select c from Room c where c.retired=false and (c.name) like '%" + getSelectText().toUpperCase() + "%' order by c.name"); + String sql = "select c from Room c where c.retired=false and upper(c.name) like :q order by c.name"; + Map m = new HashMap<>(); + m.put("q", "%" + getSelectText().toUpperCase() + "%"); + selectedItems = getFacade().findByJpql(sql, m); return selectedItems; }