Merge pull request #3671 from semgrep/kb/sqli-fmt-string-mvar-focus

kurt-r2c · web-flow · commit d544cd509e4f · 2025-08-11T11:26:06.000-07:00
fix(java): formatted-sql-string Java rule had incorrect mvar-focus
diff --git a/java/lang/security/audit/formatted-sql-string.java b/java/lang/security/audit/formatted-sql-string.java
@@ -143,3 +143,13 @@ public List<Student> addWhere(String name, CriteriaQuery Query)
         return students;
     }
 }
+
+public class SqlExampleFocusMetavar {
+    public void get(HttpServletRequest req) {
+        Connection c = DB.getConnection();
+        String p = req.getParam("param");
+        PreparedStatement statement = c.prepareStatment("SELECT * FROM " + p);
+        // ruleid: formatted-sql-string
+        ResultSet rs = statement.executeQuery();
+    }
+}
diff --git a/java/lang/security/audit/formatted-sql-string.yaml b/java/lang/security/audit/formatted-sql-string.yaml
@@ -46,7 +46,7 @@ rules:
               ...
             }
         - pattern: (String $INPUT)
-    - focus-metavariable: $INPUT
+        - focus-metavariable: $INPUT
     label: INPUT
   - patterns:
     - pattern-either:

Original file line number	Diff line number	Diff line change
`@@ -143,3 +143,13 @@ public List<Student> addWhere(String name, CriteriaQuery Query)`
`143`	`143`	`return students;`
`144`	`144`	`}`
`145`	`145`	`}`
	`146`	`+`
	`147`	`+public class SqlExampleFocusMetavar {`
	`148`	`+ public void get(HttpServletRequest req) {`
	`149`	`+ Connection c = DB.getConnection();`
	`150`	`+ String p = req.getParam("param");`
	`151`	`+ PreparedStatement statement = c.prepareStatment("SELECT * FROM " + p);`
	`152`	`+ // ruleid: formatted-sql-string`
	`153`	`+ ResultSet rs = statement.executeQuery();`
	`154`	`+ }`
	`155`	`+}`