Skip to content

Parameterize BSA native SQL queries for SQLi safety#3119

Open
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:fix-bsa-sqli
Open

Parameterize BSA native SQL queries for SQLi safety#3119
CydeWeys wants to merge 1 commit into
google:masterfrom
CydeWeys:fix-bsa-sqli

Conversation

@CydeWeys

@CydeWeys CydeWeys commented Jun 29, 2026

Copy link
Copy Markdown
Member

Remediate BSA SQL Injection (A.2.2) by parameterizing native queries in Queries.java. Rather than formatting operator-supplied domain list tuples directly into a SQL query string:

  • Dynamically build a parameterized SQL query utilizing Postgres named parameters.
  • Bind the label and tld segments using .setParameter.
  • Return early on empty domain sets to avoid empty IN clause syntax errors.
  • Add test cases in QueriesTest.java to verify SQL injection safety and empty collection handling.

TAG=agy
CONV=610c2358-a99f-4605-94cd-ff0d4ee08176


This change is Reviewable

Remediate BSA SQL Injection (A.2.2) by parameterizing native queries
in Queries.java. Rather than formatting operator-supplied domain list
tuples directly into a SQL query string:
- Dynamically build a parameterized SQL query utilizing Postgres named parameters.
- Bind the label and tld segments using .setParameter.
- Return early on empty domain sets to avoid empty IN clause syntax errors.
- Add test cases in QueriesTest.java to verify SQL injection safety and
  empty collection handling.

TAG=agy
CONV=610c2358-a99f-4605-94cd-ff0d4ee08176
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant