nyx/tests/fixtures/realistic/sqli_xlang/SqliJavaHibernateNative.java

// Phase 15 — Hibernate `session.createNativeQuery` interpolation SQLi
// positive.  `session.createNativeQuery` is a flat SQL_QUERY sink in
// `labels/java.rs`; the `String.format` call interpolates the user-
// controlled name into the SQL string with no parameterisation.
package com.example;

import javax.servlet.http.HttpServletRequest;
import org.hibernate.Session;

public class SqliJavaHibernateNative {
    public Object lookup(HttpServletRequest request, Session session) {
        String name = request.getParameter("name");
        String sql = String.format("SELECT * FROM users WHERE name = '%s'", name);
        return session.createNativeQuery(sql).getResultList();
    }
}
Critical bug fixes and recall improvements (#68) 2026-05-11 12:42:39 -04:00			// Phase 15 — Hibernate `session.createNativeQuery` interpolation SQLi
			// positive. `session.createNativeQuery` is a flat SQL_QUERY sink in
			// `labels/java.rs`; the `String.format` call interpolates the user-
			`// controlled name into the SQL string with no parameterisation.`
			`package com.example;`

			`import javax.servlet.http.HttpServletRequest;`
			`import org.hibernate.Session;`

			`public class SqliJavaHibernateNative {`
			`public Object lookup(HttpServletRequest request, Session session) {`
			`String name = request.getParameter("name");`
			`String sql = String.format("SELECT * FROM users WHERE name = '%s'", name);`
			`return session.createNativeQuery(sql).getResultList();`
			`}`
			`}`