Model additional Hibernate query sinks

Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47 Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
2026-05-14 11:19:27 +02:00 · 2026-04-23 13:41:03 +00:00
parent 081ad03b4b
commit 25d232b815
5 changed files with 23 additions and 0 deletions
--- a/java/ql/lib/ext/org.hibernate.query.model.yml
+++ b/java/ql/lib/ext/org.hibernate.query.model.yml
@@ -4,5 +4,8 @@ extensions:
      extensible: sinkModel
    data:
      - ["org.hibernate.query", "QueryProducer", True, "createNativeQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createNativeMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["org.hibernate.query", "QueryProducer", True, "createQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createSelectionQuery", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["org.hibernate.query", "QueryProducer", True, "createSQLQuery", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
@@ -15,7 +15,11 @@ public class Hibernate {
    sharedSessionContract.createSQLQuery(source()); // $ sqlInjection

    queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
    queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createMutationQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
    queryProducer.createSQLQuery(source()); // $ sqlInjection
  }
 }
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface MutationQuery {
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
@@ -4,7 +4,15 @@ public interface QueryProducer {

  Query createNativeQuery(String sqlString);

+  MutationQuery createNativeMutationQuery(String sqlString);
+
  Query createQuery(String queryString);

+  MutationQuery createMutationQuery(String hqlString);
+
+  SelectionQuery<?> createSelectionQuery(String hqlString);
+
+  <R> SelectionQuery<R> createSelectionQuery(String hqlString, Class<R> resultType);
+
  Query createSQLQuery(String queryString);
 }
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface SelectionQuery<R> {
+}