java - Checkmarx security with Database ResultSet

Question

This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in method RepositoryClass. This may enable a Stored Cross-Site-Scripting attack. I am not displaying any data retrieved from database to user .

How to solve this issue?Or this is a false positive? I have below code snippet

@RestController
public class TestController {
    
    @GetMapping("/date")
    public String m1(@Pathvariable String date) {
    // call to repository
   List<Employees> employeeList=  repositoryClass.m1(date);
 // then i send this employeeList to kafka topic using Kafka Template

    return "Procedure  ran ";

// @RestController
public class RepositoryClass {

       void List<Employees> m1(String date )
{
     List<Employees> employeeList = jdbcTemplate.execute(date); //call to procdure to get employeeList

}
}

question from:https://stackoverflow.com/questions/66049744/checkmarx-security-with-database-resultset

Answer 1

The "date" you get from frontend has not been filtered, and you use this "date" to execute SQL directly, this may cause SQL injection. for your situation, the "date" is just used as a condition of SQL. from the code you showed, I don't think this would be a stored-XSS, but I recommend you to do a filter function a limitate the "date" to avoid SQL injection.