hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Autoformat

Browse Source
This commit is contained in:
Chris Smowton
2022-12-08 11:30:53 +00:00
parent 0edfc6e01e
commit 0d2474bd55
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll
View File

@@ -128,13 +128,14 @@ predicate isMybatisXmlOrAnnotationSqlInjection(
// ```java
// @Select(select id,name from test order by ${orderby,jdbcType=VARCHAR})
// void test(@Param("orderby") String name);
//
//
// @Select(select id,name from test where name = ${ user . name })
// void test(@Param("user") User u);
// ```
exists(Annotation annotation |
unsafeExpression
.regexpMatch("\\$\\{\\s*" + annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
.regexpMatch("\\$\\{\\s*" +
annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
"\\b[^}]*\\}") and
annotation.getType() instanceof TypeParam and
ma.getAnArgument() = node.asExpr() and
@@ -157,7 +158,8 @@ predicate isMybatisXmlOrAnnotationSqlInjection(
or
unsafeExpression.regexpMatch("\\$\\{\\s*arg" + i + "\\b[^}]*\\}")
or
unsafeExpression.regexpMatch("\\$\\{\\s*" + ma.getMethod().getParameter(i).getName() + "\\b[^}]*\\}")
unsafeExpression
.regexpMatch("\\$\\{\\s*" + ma.getMethod().getParameter(i).getName() + "\\b[^}]*\\}")
) and
ma.getArgument(i) = node.asExpr()
)