Java: Add additional SQL injection sinks.

2026-02-28 21:03:50 +01:00 · 2018-10-24 13:58:21 +02:00
parent c78f3f8edf
commit 263de5219a
5 changed files with 103 additions and 2 deletions
--- a/java/ql/src/semmle/code/java/frameworks/Hibernate.qll
+++ b/java/ql/src/semmle/code/java/frameworks/Hibernate.qll
@@ -0,0 +1,23 @@
+/**
+ * Provides classes and predicates for working with the Hibernate framework.
+ */
+
+import java
+
+/** The interface `org.hibernate.Session`. */
+class HibernateSession extends RefType {
+  HibernateSession() { this.hasQualifiedName("org.hibernate", "Session") }
+}
+
+/**
+ * Holds if `m` is a method on `HibernateSession` taking an SQL string as its
+ * first argument.
+ */
+predicate hibernateSqlMethod(Method m) {
+  m.getDeclaringType() instanceof HibernateSession and
+  m.getParameterType(0) instanceof TypeString and
+  (
+    m.hasName("createQuery") or
+    m.hasName("createSQLQuery")
+  )
+}
--- a/java/ql/src/semmle/code/java/frameworks/MyBatis.qll
+++ b/java/ql/src/semmle/code/java/frameworks/MyBatis.qll
@@ -0,0 +1,27 @@
+/**
+ * Provides classes and predicates for working with the MyBatis framework.
+ */
+
+import java
+
+/** The class `org.apache.ibatis.jdbc.SqlRunner`. */
+class MyBatisSqlRunner extends RefType {
+  MyBatisSqlRunner() { this.hasQualifiedName("org.apache.ibatis.jdbc", "SqlRunner") }
+}
+
+/**
+ * Holds if `m` is a method on `MyBatisSqlRunner` taking an SQL string as its
+ * first argument.
+ */
+predicate mybatisSqlMethod(Method m) {
+  m.getDeclaringType() instanceof MyBatisSqlRunner and
+  m.getParameterType(0) instanceof TypeString and
+  (
+    m.hasName("delete") or
+    m.hasName("insert") or
+    m.hasName("run") or
+    m.hasName("selectAll") or
+    m.hasName("selectOne") or
+    m.hasName("update")
+  )
+}
--- a/java/ql/src/semmle/code/java/frameworks/SpringJdbc.qll
+++ b/java/ql/src/semmle/code/java/frameworks/SpringJdbc.qll
@@ -0,0 +1,35 @@
+/**
+ * Provides classes and predicates for working with the Spring JDBC framework.
+ */
+
+import java
+
+/** The class `org.springframework.jdbc.core.JdbcTemplate`. */
+class JdbcTemplate extends RefType {
+  JdbcTemplate() { this.hasQualifiedName("org.springframework.jdbc.core", "JdbcTemplate") }
+}
+
+/**
+ * Holds if `m` is a method on `JdbcTemplate` taking an SQL string as its first
+ * argument.
+ */
+predicate jdbcSqlMethod(Method m) {
+  m.getDeclaringType() instanceof JdbcTemplate and
+  m.getParameterType(0) instanceof TypeString and
+  (
+    m.hasName("batchUpdate") or
+    m.hasName("execute") or
+    m.getName().matches("query%") or
+    m.hasName("update")
+  )
+}
+
+/** The method `JdbcTemplate.batchUpdate(String... sql)` */
+class BatchUpdateVarargsMethod extends Method {
+  BatchUpdateVarargsMethod() {
+    this.getDeclaringType() instanceof JdbcTemplate and
+    this.hasName("batchUpdate") and
+    this.getParameterType(0).(Array).getComponentType() instanceof TypeString and
+    this.getParameter(0).isVarargs()
+  }
+}