# Unsanitized user input in SQL catalog configuration

## Overview

* **Rule ID**: `java_lang_information_leakage`
* **Applicable Languages**: Java
* **Weakness ID**: CWE-15

## Description

Using unsanitized user input to configure a SQL Connection's catalog can lead to serious security vulnerabilities. Attackers can manipulate the catalog name in the `setCatalog` method, potentially causing harmful or unintended actions within the application.

## Remediation Guidelines

* **Do not** use direct user input for setting the SQL database's catalog. Always sanitize or validate input before using it in your database configuration.

## References

* [**Java SQL Connection**](https://docs.oracle.com/en/java/javase/21/docs/api/java.sql/java/sql/Connection.html)
* [**CWE-15: External Control of System or Configuration Setting**](https://cwe.mitre.org/data/definitions/15.html)
* [**OWASP Top 10: A05:2021 - Security Misconfiguration**](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)

## Configuration

To omit this rule during a scan, and to provide you with continuous 24/7 code-level scanning, you can employ our [**SAST TOOL**](https://scopy.sec1.io/login)