I am using Snowflake. And I have Spring Boot app where I've configured JDBC connection.
I am using Spring's org.springframework.jdbc.core.JdbcTemplate to run the following query:
public void setRole(String role) {
jdbcTemplate.execute("USE ROLE " + role);
}
Doesn't matter where the role's value comes from - I need to set specific role multiple times in my program, so that is why I have that method.
The thing is - it leaves a room for SQL Injection and I even have a tool that scans my code and complains about that.
I am not sure Snowflake's "USE ROLE " can be used in something like PreparedStatement.
How can I prevent SQL Injection here? Or it's not possible there and CodeQL scan result is false positive?