您的应用正在使用包含SQL注入漏洞的内容提供程序 [英] Your app(s) are using a content provider that contains a SQL Injection vulnerability

问题描述

我有2个应用.第二个应用程序通过内容提供者与第一个应用程序进行交互，以获取一些凭据.今天，在将我的apk上传到Playstore时，出现了错误-SQL注入您的应用正在使用包含SQL注入漏洞的内容提供程序.要解决此问题，请按照此 Google帮助中心文章中的步骤进行操作.

I have 2 apps. The second app interacts with the first app through content provider to get some credentials. Today while uploading my apk on playstore I got an error -SQL Injection Your app(s) are using a content provider that contains a SQL Injection vulnerability. To address this issue, follow the steps in this Google Help Center article.

现在，我执行了本文中提到的所有步骤，但仍然遇到相同的错误.具体步骤是:

Now I performed all the steps mentioned in the article but still get the same error. The steps specificly being :

如果受影响的ContentProvider需要公开给其他应用:

If an affected ContentProvider needs to be exposed to other apps:

• 您可以使用
  防止SQL注入SQLiteDatabase.query中带有投影图的严格模式.严格模式可以防止
  恶意选择条款和投影图可以防止
  恶意的投射条款.您必须同时使用这两项功能确保您的查询是安全的.

• You can prevent SQL Injection into SQLiteDatabase.query by using
  strict mode with a projection map. Strict mode protects against
  malicious selection clauses and projection map protects against
  malicious projection clauses. You must use both of these features to ensure that your queries are safe.

您可以防止将SQL注入SQLiteDatabase.update和SQLiteDatabase.delete通过使用使用'?'的选择子句作为可替换参数和单独的选择数组论点.您的选择条款不应被构造来自不受信任的输入.

You can prevent SQL Injection into SQLiteDatabase.update and SQLiteDatabase.delete by using a selection clause that uses '?' as a replaceable parameter and a separate array of selection arguments. Your selection clause should not be constructed from untrusted inputs.

我的SQLiteQueryBuilder设置了strict = true和投影图.

My SQLiteQueryBuilder with set strict = true and projection map.

    private static final HashMap<String,String> values;
    static {
        values = new HashMap<String, String>();
        values.put("_id", "_id");
        values.put("name", "name");
    }

        @Override
        public Cursor query(@NonNull Uri uri, @Nullable String[] projection, @Nullable String selection, @Nullable String[] selectionArgs, @Nullable String sortOrder) {
            SQLiteQueryBuilder qb = new SQLiteQueryBuilder();
            qb.setTables(TABLE_NAME);
            qb.setStrict(true);


        switch (uriMatcher.match(uri)) {
            case uriCode:
                qb.setProjectionMap(values);
                break;
            default:
                throw new IllegalArgumentException("Unknown URI " + uri);
        }

        if (sortOrder == null || sortOrder == "") {
            sortOrder = name;
        }
        Cursor c = qb.query(db, projection, selection, selectionArgs, null,
                null, sortOrder);
        c.setNotificationUri(getContext().getContentResolver(), uri);
        return c;
    }

推荐答案

这不是答案.(我没有足够的声誉来发表评论).看起来该错误仅与内容提供者中定义的更新和删除有关.上面的代码仅返回数据.我建议回到您的每个内容提供商并检查:

It's not an answer. (I don't have enough reputation to comment). Looks like the error relates to update and delete only, defined in the content provider. The code above just returns data. I suggest going back to each of your content providers and check:

delete(Uri var1, String var2, String[] var3)
update(Uri var1, ContentValues var2, String var3, String[] var4);

在TABLE_ID情况下，应该按照您的定义定义选择和选择参数.在我最近的应用程序中，我定义了"=?"例如删除，但在调用ContentResolver时使用.delete(object_Url，null，null).如果object_Url与ID匹配，则会对其进行解析并返回选择参数，例如

The TABLE_ID case should have selection and selection arguments defined as you mentioned. In my recent app I defined "=?" in e.g delete, but used .delete(object_Url, null, null) when calling the ContentResolver. If the object_Url matches the id it is parsed and selection arguments are returned e.g

selection = CONTRACT._ID + "=?";
selectionArgs = new String[] {String.valueOf(ContentUris.parseId(uri))};

这篇关于您的应用正在使用包含SQL注入漏洞的内容提供程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！