Info Call to SQLite query API

Description

Improper SQL query construction could lead to SQL injection. An SQL injection attack consists of injecting of an SQL query via the input data from the client to the application

Recommendation

This entry is informative, no recommendations applicable.

Technical details

Method com.microsoft.appcenter.utils.storage.DatabaseManager.getCursor() calling method android.database.sqlite.SQLiteQueryBuilder.appendWhere()


    android.database.Cursor getCursor(String p9, Object p10, boolean p11)
    {
        String[] v4;
        android.database.sqlite.SQLiteQueryBuilder v0 = com.microsoft.appcenter.utils.storage.SQLiteUtils.newSQLiteQueryBuilder();
        v0.setTables(this.mTable);
        if (p9 != null) {
            if (p10 != null) {
                v0.appendWhere(new StringBuilder().append(p9).append(" = ?").toString());
                v4 = new String[1];
                v4[0] = String.valueOf(p10.toString());
            } else {
                v0.appendWhere(new StringBuilder().append(p9).append(" IS NULL").toString());
                v4 = 0;
            }
        } else {
            v4 = 0;
        }
        int v2;
        if (!p11) {
            v2 = 0;
        } else {
            v2 = new String[1];
            v2[0] = "oid";
        }
        return v0.query(this.getDatabase(), v2, 0, v4, 0, 0, "oid");
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.getCursor() calling method android.database.sqlite.SQLiteQueryBuilder.query()


    android.database.Cursor getCursor(String p9, Object p10, boolean p11)
    {
        String[] v4;
        android.database.sqlite.SQLiteQueryBuilder v0 = com.microsoft.appcenter.utils.storage.SQLiteUtils.newSQLiteQueryBuilder();
        v0.setTables(this.mTable);
        if (p9 != null) {
            if (p10 != null) {
                v0.appendWhere(new StringBuilder().append(p9).append(" = ?").toString());
                v4 = new String[1];
                v4[0] = String.valueOf(p10.toString());
            } else {
                v0.appendWhere(new StringBuilder().append(p9).append(" IS NULL").toString());
                v4 = 0;
            }
        } else {
            v4 = 0;
        }
        int v2;
        if (!p11) {
            v2 = 0;
        } else {
            v2 = new String[1];
            v2[0] = "oid";
        }
        return v0.query(this.getDatabase(), v2, 0, v4, 0, 0, "oid");
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.update() calling method android.database.sqlite.SQLiteDatabase.update()


    public boolean update(long p12, android.content.ContentValues p14)
    {
        int v2 = 1;
        if (this.mIMDB != null) {
            android.content.ContentValues v1_1 = ((android.content.ContentValues) this.mIMDB.get(Long.valueOf(p12)));
            if (v1_1 != null) {
                v1_1.putAll(p14);
            } else {
                v2 = 0;
            }
        } else {
            try {
                String v4_4 = this.getDatabase();
                Long v5_1 = this.mTable;
                String[] v7_1 = new String[1];
                v7_1[0] = String.valueOf(p12);
            } catch (RuntimeException v0) {
                this.switchToInMemory("update", v0);
            }
            if (v4_4.update(v5_1, p14, "oid = ?", v7_1) <= 0) {
                v2 = 0;
            }
        }
        return v2;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.put() calling method android.database.sqlite.SQLiteDatabase.insertOrThrow()


    public long put(android.content.ContentValues p9)
    {
        long v2;
        if (this.mIMDB != null) {
            p9.put("oid", Long.valueOf(this.mIMDBAutoInc));
            this.mIMDB.put(Long.valueOf(this.mIMDBAutoInc), p9);
            v2 = this.mIMDBAutoInc;
            this.mIMDBAutoInc = (1 + v2);
        } else {
            try {
                v2 = this.getDatabase().insertOrThrow(this.mTable, 0, p9);
            } catch (RuntimeException v1) {
                this.switchToInMemory("put", v1);
            }
            if ((((long) this.mMaxNumberOfRecords) < this.getRowCount()) && (this.mMaxNumberOfRecords > 0)) {
                android.database.Cursor v0 = this.getCursor(0, 0, 1);
                v0.moveToNext();
                this.delete(v0.getLong(0));
                v0.close();
            }
        }
        return v2;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.delete() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    public void delete(java.util.List p8)
    {
        if (p8.size() > 0) {
            if (this.mIMDB != null) {
                String v2_4 = p8.iterator();
                while (v2_4.hasNext()) {
                    this.mIMDB.remove(((Long) v2_4.next()));
                }
            } else {
                try {
                    String v2_1 = this.getDatabase();
                    java.util.Map v3_8 = new StringBuilder().append("DELETE FROM ").append(this.mTable).append(" WHERE ").append("oid").append(" IN (%s);").toString();
                    Object[] v4_6 = new Object[1];
                    v4_6[0] = android.text.TextUtils.join(", ", p8);
                    v2_1.execSQL(String.format(v3_8, v4_6));
                } catch (RuntimeException v0) {
                    this.switchToInMemory("delete", v0);
                }
            }
        }
        return;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager$1.onUpgrade() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    public void onUpgrade(android.database.sqlite.SQLiteDatabase p3, int p4, int p5)
    {
        if (!com.microsoft.appcenter.utils.storage.DatabaseManager.access$200(this.this$0).onUpgrade(p3, p4, p5)) {
            p3.execSQL(new StringBuilder().append("DROP TABLE `").append(com.microsoft.appcenter.utils.storage.DatabaseManager.access$000(this.this$0)).append("`").toString());
            this.onCreate(p3);
        }
        return;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager$1.onCreate() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    public void onCreate(android.database.sqlite.SQLiteDatabase p7)
    {
        StringBuilder v1_1 = new StringBuilder("CREATE TABLE `");
        v1_1.append(com.microsoft.appcenter.utils.storage.DatabaseManager.access$000(this.this$0));
        v1_1.append("` (oid INTEGER PRIMARY KEY AUTOINCREMENT");
        java.util.Iterator v4 = com.microsoft.appcenter.utils.storage.DatabaseManager.access$100(this.this$0).valueSet().iterator();
        while (v4.hasNext()) {
            java.util.Map$Entry v0_1 = ((java.util.Map$Entry) v4.next());
            v1_1.append(", `").append(((String) v0_1.getKey())).append("` ");
            Object v2 = v0_1.getValue();
            if ((!(v2 instanceof Double)) && (!(v2 instanceof Float))) {
                if ((!(v2 instanceof Number)) && (!(v2 instanceof Boolean))) {
                    if (!(v2 instanceof byte[])) {
                        v1_1.append("TEXT");
                    } else {
                        v1_1.append("BLOB");
                    }
                } else {
                    v1_1.append("INTEGER");
                }
            } else {
                v1_1.append("REAL");
            }
        }
        v1_1.append(");");
        p7.execSQL(v1_1.toString());
        return;
    }

Method com.microsoft.appcenter.persistence.DatabasePersistence$1.onUpgrade() calling method android.database.sqlite.SQLiteDatabase.execSQL()


    public boolean onUpgrade(android.database.sqlite.SQLiteDatabase p2, int p3, int p4)
    {
        p2.execSQL("ALTER TABLE logs ADD COLUMN `target_token` TEXT");
        p2.execSQL("ALTER TABLE logs ADD COLUMN `type` TEXT");
        return 1;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.delete() calling method android.database.sqlite.SQLiteDatabase.delete()


    public void delete(String p11, Object p12)
    {
        if (this.mIMDB != null) {
            if (!"oid".equals(p11)) {
                java.util.Iterator v2 = this.mIMDB.entrySet().iterator();
                while (v2.hasNext()) {
                    Object v3 = ((android.content.ContentValues) ((java.util.Map$Entry) v2.next()).getValue()).get(p11);
                    if ((v3 != null) && (v3.equals(p12))) {
                        v2.remove();
                    }
                }
            } else {
                if ((p12 != null) && ((p12 instanceof Number))) {
                    this.mIMDB.remove(Long.valueOf(((Number) p12).longValue()));
                } else {
                    throw new IllegalArgumentException("Primary key should be a number type and cannot be null");
                }
            }
        } else {
            try {
                boolean v4_11 = this.getDatabase();
                Long v5_2 = this.mTable;
                long v6_5 = new StringBuilder().append(p11).append(" = ?").toString();
                String[] v7_2 = new String[1];
                v7_2[0] = String.valueOf(p12);
                v4_11.delete(v5_2, v6_5, v7_2);
            } catch (RuntimeException v0) {
                this.switchToInMemory("delete", v0);
            }
        }
        return;
    }

Method com.microsoft.appcenter.utils.storage.DatabaseManager.clear() calling method android.database.sqlite.SQLiteDatabase.delete()


    public void clear()
    {
        if (this.mIMDB != null) {
            this.mIMDB.clear();
        } else {
            try {
                this.getDatabase().delete(this.mTable, 0, 0);
            } catch (RuntimeException v0) {
                this.switchToInMemory("clear", v0);
            }
        }
        return;
    }