mirror of
https://github.com/github/codeql.git
synced 2026-04-30 11:15:13 +02:00
Modify sink and improve SQL injection detection
This commit is contained in:
haby0
@@ -22,7 +22,7 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
|
||||
|
||||
override predicate isSink(DataFlow::Node sink) {
|
||||
sink instanceof MyBatisMapperXmlSqlInjectionSink
|
||||
sink instanceof MyBatisMapperMethodCallAnArgument
|
||||
}
|
||||
|
||||
override predicate isSanitizer(DataFlow::Node node) {
|
||||
@@ -33,7 +33,11 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
|
||||
}
|
||||
|
||||
from
|
||||
MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "MyBatis Mapper XML sql injection might include code from $@.",
|
||||
source.getNode(), "this user input"
|
||||
MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink,
|
||||
XMLElement xmle
|
||||
where
|
||||
cfg.hasFlowPath(source, sink) and
|
||||
isSqlInjection(sink.getNode(), xmle)
|
||||
select sink.getNode(), source, sink,
|
||||
"MyBatis Mapper XML sql injection might include code from $@ to $@.", source.getNode(),
|
||||
"this user input", xmle, "this sql operation"
|
||||
|
||||
@@ -7,95 +7,100 @@ private class TypeParam extends Interface {
|
||||
TypeParam() { this.hasQualifiedName("org.apache.ibatis.annotations", "Param") }
|
||||
}
|
||||
|
||||
/** A sink for MyBatis Mapper XML file sql injection vulnerabilities. */
|
||||
abstract class MyBatisMapperXmlSqlInjectionSink extends DataFlow::Node { }
|
||||
/** A reference type that extends a parameterization of `java.util.List`. */
|
||||
private class ListType extends RefType {
|
||||
ListType() {
|
||||
this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "List")
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink for MyBatis Mapper method parameter name sql injection vulnerabilities.
|
||||
*
|
||||
* e.g. MyBatis Mapper method: `void test(String name);` and MyBatis Mapper XML file:`select id,name from test where name like '%${name}%'`
|
||||
*/
|
||||
class MyBatisMapperParameterNameSqlInjectionSink extends MyBatisMapperXmlSqlInjectionSink {
|
||||
MyBatisMapperParameterNameSqlInjectionSink() {
|
||||
exists(
|
||||
MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess ma, int i, Method m,
|
||||
Expr arg, string sql
|
||||
/** A sink for MyBatis Mapper method call an argument. */
|
||||
class MyBatisMapperMethodCallAnArgument extends DataFlow::Node {
|
||||
MyBatisMapperMethodCallAnArgument() {
|
||||
exists(MyBatisMapperSqlOperation mbmxe, MethodAccess mc |
|
||||
mbmxe.getMapperMethod() = mc.getMethod()
|
||||
|
|
||||
m = ma.getMethod() and arg = ma.getArgument(i)
|
||||
|
|
||||
arg = this.asExpr() and
|
||||
(
|
||||
mbmxe.getAChild*().getTextValue().trim() = sql
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*().getTextValue().trim() = sql
|
||||
) and
|
||||
not m.getParameter(i).hasAnnotation() and
|
||||
sql.matches("%${" + m.getParameter(i).getName() + "%") and
|
||||
mbmxe.getId() = ma.getMethod().getName() and
|
||||
ma.getMethod().getDeclaringType() =
|
||||
mbmxe.getParent().(MyBatisMapperXMLElement).getNamespaceRefType()
|
||||
mc.getAnArgument() = this.asExpr()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink for MyBatis Mapper method Param Annotation sql injection vulnerabilities.
|
||||
*
|
||||
* e.g. MyBatis Mapper method: `void test(@Param("orderby") String name);` and MyBatis Mapper XML file:`select id,name from test order by ${orderby,jdbcType=VARCHAR}`
|
||||
*/
|
||||
class MyBatisMapperParamAnnotationSqlInjectionSink extends MyBatisMapperXmlSqlInjectionSink {
|
||||
MyBatisMapperParamAnnotationSqlInjectionSink() {
|
||||
exists(
|
||||
MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess ma, int i, Method m,
|
||||
Expr arg, Annotation a, string sql
|
||||
|
|
||||
m = ma.getMethod() and arg = ma.getArgument(i)
|
||||
|
|
||||
arg = this.asExpr() and
|
||||
(
|
||||
mbmxe.getAChild*().getTextValue().trim() = sql
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*().getTextValue().trim() = sql
|
||||
) and
|
||||
m.getParameter(i).hasAnnotation() and
|
||||
m.getParameter(i).getAnAnnotation() = a and
|
||||
a.getType() instanceof TypeParam and
|
||||
sql.matches("%${" + a.getValue("value").(CompileTimeConstantExpr).getStringValue() + "%") and
|
||||
mbmxe.getId() = ma.getMethod().getName() and
|
||||
ma.getMethod().getDeclaringType() =
|
||||
mbmxe.getParent().(MyBatisMapperXMLElement).getNamespaceRefType()
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink for MyBatis Mapper method Class Field sql injection vulnerabilities.
|
||||
*
|
||||
* e.g. MyBatis Mapper method: `void test(Test test);` and MyBatis Mapper XML file:`select id,name from test order by ${name,jdbcType=VARCHAR}`
|
||||
*/
|
||||
class MyBatisMapperClassFieldSqlInjectionSink extends MyBatisMapperXmlSqlInjectionSink {
|
||||
MyBatisMapperClassFieldSqlInjectionSink() {
|
||||
exists(
|
||||
MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess ma, int i, Method m,
|
||||
Expr arg, string sql, Class c
|
||||
|
|
||||
m = ma.getMethod() and arg = ma.getArgument(i)
|
||||
|
|
||||
arg = this.asExpr() and
|
||||
(
|
||||
mbmxe.getAChild*().getTextValue().trim() = sql
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*().getTextValue().trim() = sql
|
||||
) and
|
||||
not m.getParameter(i).hasAnnotation() and
|
||||
m.getParameterType(i).getName() = c.getName() and
|
||||
sql.matches("%${" + c.getAField().getName() + "%") and
|
||||
mbmxe.getId() = ma.getMethod().getName() and
|
||||
ma.getMethod().getDeclaringType() =
|
||||
mbmxe.getParent().(MyBatisMapperXMLElement).getNamespaceRefType()
|
||||
)
|
||||
}
|
||||
predicate isSqlInjection(DataFlow::Node node, XMLElement xmle) {
|
||||
// MyBatis Mapper method parameter name sql injection vulnerabilities.
|
||||
// e.g. MyBatis Mapper method: `void test(String name);` and MyBatis Mapper XML file:`select id,name from test where name like '%${name}%'`
|
||||
exists(MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess mc, int i |
|
||||
mbmxe.getMapperMethod() = mc.getMethod()
|
||||
|
|
||||
(
|
||||
mbmxe.getAChild*() = xmle
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*() = xmle
|
||||
) and
|
||||
not mc.getMethod().getParameter(i).hasAnnotation() and
|
||||
xmle.getTextValue().trim().matches("%${" + mc.getMethod().getParameter(i).getName() + "%") and
|
||||
mc.getArgument(i) = node.asExpr()
|
||||
)
|
||||
or
|
||||
// MyBatis Mapper method Param Annotation sql injection vulnerabilities.
|
||||
// e.g. MyBatis Mapper method: `void test(@Param("orderby") String name);` and MyBatis Mapper XML file:`select id,name from test order by ${orderby,jdbcType=VARCHAR}`
|
||||
exists(
|
||||
MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess mc, int i,
|
||||
Annotation annotation
|
||||
|
|
||||
mbmxe.getMapperMethod() = mc.getMethod()
|
||||
|
|
||||
(
|
||||
mbmxe.getAChild*() = xmle
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*() = xmle
|
||||
) and
|
||||
mc.getMethod().getParameter(i).hasAnnotation() and
|
||||
mc.getMethod().getParameter(i).getAnAnnotation() = annotation and
|
||||
annotation.getType() instanceof TypeParam and
|
||||
xmle.getTextValue()
|
||||
.trim()
|
||||
.matches("%${" + annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
|
||||
"%") and
|
||||
mc.getArgument(i) = node.asExpr()
|
||||
)
|
||||
or
|
||||
// MyBatis Mapper method Class Field sql injection vulnerabilities.
|
||||
// e.g. MyBatis Mapper method: `void test(Test test);` and MyBatis Mapper XML file:`select id,name from test order by ${name,jdbcType=VARCHAR}`
|
||||
exists(MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess mc, int i, Class c |
|
||||
mbmxe.getMapperMethod() = mc.getMethod()
|
||||
|
|
||||
(
|
||||
mbmxe.getAChild*() = xmle
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*() = xmle
|
||||
) and
|
||||
not mc.getMethod().getParameter(i).hasAnnotation() and
|
||||
mc.getMethod().getParameterType(i).getName() = c.getName() and
|
||||
xmle.getTextValue().trim().matches("%${" + c.getAField().getName() + "%") and
|
||||
mc.getArgument(i) = node.asExpr()
|
||||
)
|
||||
or
|
||||
// The parameter type of MyBatis Mapper method is Map or List or Array, which may cause SQL injection vulnerability.
|
||||
// e.g. MyBatis Mapper method: `void test(Map<String, String> params);` and MyBatis Mapper XML file:`select id,name from test where name like '%${name}%'`
|
||||
exists(MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess mc, int i |
|
||||
mbmxe.getMapperMethod() = mc.getMethod()
|
||||
|
|
||||
(
|
||||
mbmxe.getAChild*() = xmle
|
||||
or
|
||||
mbmxe.getInclude().getRefid() = mbms.getId() and
|
||||
mbms.getAChild*() = xmle
|
||||
) and
|
||||
not mc.getMethod().getParameter(i).hasAnnotation() and
|
||||
(
|
||||
mc.getMethod().getParameterType(i) instanceof MapType or
|
||||
mc.getMethod().getParameterType(i) instanceof ListType or
|
||||
mc.getMethod().getParameterType(i) instanceof Array
|
||||
) and
|
||||
xmle.getTextValue().trim().matches("%${%") and
|
||||
mc.getArgument(i) = node.asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
@@ -37,6 +37,12 @@ abstract class MyBatisMapperSqlOperation extends MyBatisMapperXMLElement {
|
||||
* Gets the `<include>` element in a `MyBatisMapperSqlOperation`.
|
||||
*/
|
||||
MyBatisMapperInclude getInclude() { result = getAChild*() }
|
||||
|
||||
|
||||
Method getMapperMethod() {
|
||||
result.getName() = this.getId() and
|
||||
result.getDeclaringType() = this.getParent().(MyBatisMapperXMLElement).getNamespaceRefType()
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@@ -1,43 +1,68 @@
|
||||
edges
|
||||
| MybatisSqlInjection.java:17:25:17:35 | name : String | MybatisSqlInjection.java:18:55:18:58 | name : String |
|
||||
| MybatisSqlInjection.java:18:55:18:58 | name : String | MybatisSqlInjectionService.java:11:25:11:35 | name : String |
|
||||
| MybatisSqlInjection.java:23:25:23:35 | name : String | MybatisSqlInjection.java:24:55:24:58 | name : String |
|
||||
| MybatisSqlInjection.java:24:55:24:58 | name : String | MybatisSqlInjectionService.java:16:25:16:35 | name : String |
|
||||
| MybatisSqlInjection.java:29:25:29:49 | test : Test | MybatisSqlInjection.java:30:55:30:58 | test : Test |
|
||||
| MybatisSqlInjection.java:30:55:30:58 | test : Test | MybatisSqlInjectionService.java:21:25:21:33 | test : Test |
|
||||
| MybatisSqlInjection.java:35:19:35:40 | test : Test | MybatisSqlInjection.java:36:35:36:38 | test : Test |
|
||||
| MybatisSqlInjection.java:36:35:36:38 | test : Test | MybatisSqlInjectionService.java:26:19:26:27 | test : Test |
|
||||
| MybatisSqlInjection.java:40:19:40:40 | test : Test | MybatisSqlInjection.java:41:35:41:38 | test : Test |
|
||||
| MybatisSqlInjection.java:41:35:41:38 | test : Test | MybatisSqlInjectionService.java:30:19:30:27 | test : Test |
|
||||
| MybatisSqlInjectionService.java:11:25:11:35 | name : String | MybatisSqlInjectionService.java:12:47:12:50 | name |
|
||||
| MybatisSqlInjectionService.java:16:25:16:35 | name : String | MybatisSqlInjectionService.java:17:47:17:50 | name |
|
||||
| MybatisSqlInjectionService.java:21:25:21:33 | test : Test | MybatisSqlInjectionService.java:22:47:22:50 | test |
|
||||
| MybatisSqlInjectionService.java:26:19:26:27 | test : Test | MybatisSqlInjectionService.java:27:27:27:30 | test |
|
||||
| MybatisSqlInjectionService.java:30:19:30:27 | test : Test | MybatisSqlInjectionService.java:31:27:31:30 | test |
|
||||
| MybatisSqlInjection.java:19:25:19:49 | name : String | MybatisSqlInjection.java:20:55:20:58 | name : String |
|
||||
| MybatisSqlInjection.java:20:55:20:58 | name : String | MybatisSqlInjectionService.java:12:25:12:35 | name : String |
|
||||
| MybatisSqlInjection.java:25:25:25:49 | name : String | MybatisSqlInjection.java:26:55:26:58 | name : String |
|
||||
| MybatisSqlInjection.java:26:55:26:58 | name : String | MybatisSqlInjectionService.java:17:25:17:35 | name : String |
|
||||
| MybatisSqlInjection.java:31:25:31:49 | test : Test | MybatisSqlInjection.java:32:55:32:58 | test : Test |
|
||||
| MybatisSqlInjection.java:32:55:32:58 | test : Test | MybatisSqlInjectionService.java:22:25:22:33 | test : Test |
|
||||
| MybatisSqlInjection.java:37:19:37:40 | test : Test | MybatisSqlInjection.java:38:35:38:38 | test : Test |
|
||||
| MybatisSqlInjection.java:38:35:38:38 | test : Test | MybatisSqlInjectionService.java:27:19:27:27 | test : Test |
|
||||
| MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjection.java:43:35:43:38 | test : Test |
|
||||
| MybatisSqlInjection.java:43:35:43:38 | test : Test | MybatisSqlInjectionService.java:31:19:31:27 | test : Test |
|
||||
| MybatisSqlInjection.java:47:19:47:57 | params : Map | MybatisSqlInjection.java:48:35:48:40 | params : Map |
|
||||
| MybatisSqlInjection.java:48:35:48:40 | params : Map | MybatisSqlInjectionService.java:35:19:35:44 | params : Map |
|
||||
| MybatisSqlInjection.java:52:19:52:50 | params : List | MybatisSqlInjection.java:53:35:53:40 | params : List |
|
||||
| MybatisSqlInjection.java:53:35:53:40 | params : List | MybatisSqlInjectionService.java:39:19:39:37 | params : List |
|
||||
| MybatisSqlInjection.java:57:19:57:46 | params : String[] | MybatisSqlInjection.java:58:35:58:40 | params : String[] |
|
||||
| MybatisSqlInjection.java:58:35:58:40 | params : String[] | MybatisSqlInjectionService.java:43:19:43:33 | params : String[] |
|
||||
| MybatisSqlInjectionService.java:12:25:12:35 | name : String | MybatisSqlInjectionService.java:13:47:13:50 | name |
|
||||
| MybatisSqlInjectionService.java:17:25:17:35 | name : String | MybatisSqlInjectionService.java:18:47:18:50 | name |
|
||||
| MybatisSqlInjectionService.java:22:25:22:33 | test : Test | MybatisSqlInjectionService.java:23:47:23:50 | test |
|
||||
| MybatisSqlInjectionService.java:27:19:27:27 | test : Test | MybatisSqlInjectionService.java:28:27:28:30 | test |
|
||||
| MybatisSqlInjectionService.java:31:19:31:27 | test : Test | MybatisSqlInjectionService.java:32:27:32:30 | test |
|
||||
| MybatisSqlInjectionService.java:35:19:35:44 | params : Map | MybatisSqlInjectionService.java:36:27:36:32 | params |
|
||||
| MybatisSqlInjectionService.java:39:19:39:37 | params : List | MybatisSqlInjectionService.java:40:27:40:32 | params |
|
||||
| MybatisSqlInjectionService.java:43:19:43:33 | params : String[] | MybatisSqlInjectionService.java:44:27:44:32 | params |
|
||||
nodes
|
||||
| MybatisSqlInjection.java:17:25:17:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:18:55:18:58 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:23:25:23:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:24:55:24:58 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:29:25:29:49 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:30:55:30:58 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:35:19:35:40 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:36:35:36:38 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:40:19:40:40 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:41:35:41:38 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:11:25:11:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjectionService.java:12:47:12:50 | name | semmle.label | name |
|
||||
| MybatisSqlInjectionService.java:16:25:16:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjectionService.java:17:47:17:50 | name | semmle.label | name |
|
||||
| MybatisSqlInjectionService.java:21:25:21:33 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:22:47:22:50 | test | semmle.label | test |
|
||||
| MybatisSqlInjectionService.java:26:19:26:27 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:27:27:27:30 | test | semmle.label | test |
|
||||
| MybatisSqlInjectionService.java:30:19:30:27 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:31:27:31:30 | test | semmle.label | test |
|
||||
| MybatisSqlInjection.java:19:25:19:49 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:20:55:20:58 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:25:25:25:49 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:26:55:26:58 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjection.java:31:25:31:49 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:32:55:32:58 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:37:19:37:40 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:38:35:38:38 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:42:19:42:40 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:43:35:43:38 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjection.java:47:19:47:57 | params : Map | semmle.label | params : Map |
|
||||
| MybatisSqlInjection.java:48:35:48:40 | params : Map | semmle.label | params : Map |
|
||||
| MybatisSqlInjection.java:52:19:52:50 | params : List | semmle.label | params : List |
|
||||
| MybatisSqlInjection.java:53:35:53:40 | params : List | semmle.label | params : List |
|
||||
| MybatisSqlInjection.java:57:19:57:46 | params : String[] | semmle.label | params : String[] |
|
||||
| MybatisSqlInjection.java:58:35:58:40 | params : String[] | semmle.label | params : String[] |
|
||||
| MybatisSqlInjectionService.java:12:25:12:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjectionService.java:13:47:13:50 | name | semmle.label | name |
|
||||
| MybatisSqlInjectionService.java:17:25:17:35 | name : String | semmle.label | name : String |
|
||||
| MybatisSqlInjectionService.java:18:47:18:50 | name | semmle.label | name |
|
||||
| MybatisSqlInjectionService.java:22:25:22:33 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:23:47:23:50 | test | semmle.label | test |
|
||||
| MybatisSqlInjectionService.java:27:19:27:27 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:28:27:28:30 | test | semmle.label | test |
|
||||
| MybatisSqlInjectionService.java:31:19:31:27 | test : Test | semmle.label | test : Test |
|
||||
| MybatisSqlInjectionService.java:32:27:32:30 | test | semmle.label | test |
|
||||
| MybatisSqlInjectionService.java:35:19:35:44 | params : Map | semmle.label | params : Map |
|
||||
| MybatisSqlInjectionService.java:36:27:36:32 | params | semmle.label | params |
|
||||
| MybatisSqlInjectionService.java:39:19:39:37 | params : List | semmle.label | params : List |
|
||||
| MybatisSqlInjectionService.java:40:27:40:32 | params | semmle.label | params |
|
||||
| MybatisSqlInjectionService.java:43:19:43:33 | params : String[] | semmle.label | params : String[] |
|
||||
| MybatisSqlInjectionService.java:44:27:44:32 | params | semmle.label | params |
|
||||
#select
|
||||
| MybatisSqlInjectionService.java:12:47:12:50 | name | MybatisSqlInjection.java:17:25:17:35 | name : String | MybatisSqlInjectionService.java:12:47:12:50 | name | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:17:25:17:35 | name | this user input |
|
||||
| MybatisSqlInjectionService.java:17:47:17:50 | name | MybatisSqlInjection.java:23:25:23:35 | name : String | MybatisSqlInjectionService.java:17:47:17:50 | name | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:23:25:23:35 | name | this user input |
|
||||
| MybatisSqlInjectionService.java:22:47:22:50 | test | MybatisSqlInjection.java:29:25:29:49 | test : Test | MybatisSqlInjectionService.java:22:47:22:50 | test | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:29:25:29:49 | test | this user input |
|
||||
| MybatisSqlInjectionService.java:27:27:27:30 | test | MybatisSqlInjection.java:35:19:35:40 | test : Test | MybatisSqlInjectionService.java:27:27:27:30 | test | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:35:19:35:40 | test | this user input |
|
||||
| MybatisSqlInjectionService.java:31:27:31:30 | test | MybatisSqlInjection.java:40:19:40:40 | test : Test | MybatisSqlInjectionService.java:31:27:31:30 | test | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:40:19:40:40 | test | this user input |
|
||||
| MybatisSqlInjectionService.java:13:47:13:50 | name | MybatisSqlInjection.java:19:25:19:49 | name : String | MybatisSqlInjectionService.java:13:47:13:50 | name | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:19:25:19:49 | name | this user input | SqlInjectionMapper.xml:23:3:25:12 | select | this sql operation |
|
||||
| MybatisSqlInjectionService.java:18:47:18:50 | name | MybatisSqlInjection.java:25:25:25:49 | name : String | MybatisSqlInjectionService.java:18:47:18:50 | name | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:25:25:25:49 | name | this user input | SqlInjectionMapper.xml:27:3:29:12 | select | this sql operation |
|
||||
| MybatisSqlInjectionService.java:23:47:23:50 | test | MybatisSqlInjection.java:31:25:31:49 | test : Test | MybatisSqlInjectionService.java:23:47:23:50 | test | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:31:25:31:49 | test | this user input | SqlInjectionMapper.xml:31:3:33:12 | select | this sql operation |
|
||||
| MybatisSqlInjectionService.java:28:27:28:30 | test | MybatisSqlInjection.java:37:19:37:40 | test : Test | MybatisSqlInjectionService.java:28:27:28:30 | test | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:37:19:37:40 | test | this user input | SqlInjectionMapper.xml:14:7:16:12 | if | this sql operation |
|
||||
| MybatisSqlInjectionService.java:32:27:32:30 | test | MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjectionService.java:32:27:32:30 | test | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:42:19:42:40 | test | this user input | SqlInjectionMapper.xml:50:7:52:12 | if | this sql operation |
|
||||
| MybatisSqlInjectionService.java:32:27:32:30 | test | MybatisSqlInjection.java:42:19:42:40 | test : Test | MybatisSqlInjectionService.java:32:27:32:30 | test | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:42:19:42:40 | test | this user input | SqlInjectionMapper.xml:53:7:55:12 | if | this sql operation |
|
||||
| MybatisSqlInjectionService.java:36:27:36:32 | params | MybatisSqlInjection.java:47:19:47:57 | params : Map | MybatisSqlInjectionService.java:36:27:36:32 | params | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:47:19:47:57 | params | this user input | SqlInjectionMapper.xml:59:3:61:12 | select | this sql operation |
|
||||
| MybatisSqlInjectionService.java:40:27:40:32 | params | MybatisSqlInjection.java:52:19:52:50 | params : List | MybatisSqlInjectionService.java:40:27:40:32 | params | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:52:19:52:50 | params | this user input | SqlInjectionMapper.xml:65:5:67:15 | foreach | this sql operation |
|
||||
| MybatisSqlInjectionService.java:44:27:44:32 | params | MybatisSqlInjection.java:57:19:57:46 | params : String[] | MybatisSqlInjectionService.java:44:27:44:32 | params | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:57:19:57:46 | params | this user input | SqlInjectionMapper.xml:72:5:74:15 | foreach | this sql operation |
|
||||
|
||||
@@ -1,11 +1,13 @@
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Controller;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.ModelAttribute;
|
||||
import org.springframework.web.bind.annotation.RequestBody;
|
||||
import org.springframework.web.bind.annotation.RequestMapping;
|
||||
import org.springframework.web.bind.annotation.RequestMethod;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
|
||||
@Controller
|
||||
public class MybatisSqlInjection {
|
||||
@@ -13,34 +15,49 @@ public class MybatisSqlInjection {
|
||||
@Autowired
|
||||
private MybatisSqlInjectionService mybatisSqlInjectionService;
|
||||
|
||||
@GetMapping(value = "bad1")
|
||||
public List<Test> bad1(String name) {
|
||||
@GetMapping(value = "msi1")
|
||||
public List<Test> bad1(@RequestParam String name) {
|
||||
List<Test> result = mybatisSqlInjectionService.bad1(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad2")
|
||||
public List<Test> bad2(String name) {
|
||||
@GetMapping(value = "msi2")
|
||||
public List<Test> bad2(@RequestParam String name) {
|
||||
List<Test> result = mybatisSqlInjectionService.bad2(name);
|
||||
return result;
|
||||
}
|
||||
|
||||
@GetMapping(value = "bad3")
|
||||
@GetMapping(value = "msi3")
|
||||
public List<Test> bad3(@ModelAttribute Test test) {
|
||||
List<Test> result = mybatisSqlInjectionService.bad3(test);
|
||||
return result;
|
||||
}
|
||||
|
||||
@RequestMapping(value = "bad4", method = RequestMethod.POST, produces = "application/json")
|
||||
@RequestMapping(value = "msi4", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad4(@RequestBody Test test) {
|
||||
mybatisSqlInjectionService.bad4(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "bad5", method = RequestMethod.PUT, produces = "application/json")
|
||||
@RequestMapping(value = "msi5", method = RequestMethod.PUT, produces = "application/json")
|
||||
public void bad5(@RequestBody Test test) {
|
||||
mybatisSqlInjectionService.bad5(test);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi6", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad6(@RequestBody Map<String, String> params) {
|
||||
mybatisSqlInjectionService.bad6(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi7", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad7(@RequestBody List<String> params) {
|
||||
mybatisSqlInjectionService.bad7(params);
|
||||
}
|
||||
|
||||
@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
|
||||
public void bad7(@RequestBody String[] params) {
|
||||
mybatisSqlInjectionService.bad8(params);
|
||||
}
|
||||
|
||||
@GetMapping(value = "good1")
|
||||
public List<Test> good1(Integer id) {
|
||||
List<Test> result = mybatisSqlInjectionService.good1(id);
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.stereotype.Service;
|
||||
|
||||
@@ -31,6 +32,18 @@ public class MybatisSqlInjectionService {
|
||||
sqlInjectionMapper.bad5(test);
|
||||
}
|
||||
|
||||
public void bad6(Map<String, String> params) {
|
||||
sqlInjectionMapper.bad6(params);
|
||||
}
|
||||
|
||||
public void bad7(List<String> params) {
|
||||
sqlInjectionMapper.bad7(params);
|
||||
}
|
||||
|
||||
public void bad8(String[] params) {
|
||||
sqlInjectionMapper.bad8(params);
|
||||
}
|
||||
|
||||
public List<Test> good1(Integer id) {
|
||||
List<Test> result = sqlInjectionMapper.good1(id);
|
||||
return result;
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import org.apache.ibatis.annotations.Mapper;
|
||||
import org.apache.ibatis.annotations.Param;
|
||||
import org.springframework.stereotype.Repository;
|
||||
@@ -17,5 +18,11 @@ public interface SqlInjectionMapper {
|
||||
|
||||
void bad5(Test test);
|
||||
|
||||
void bad6(Map<String, String> params);
|
||||
|
||||
void bad7(List<String> params);
|
||||
|
||||
void bad8(String[] params);
|
||||
|
||||
List<Test> good1(Integer id);
|
||||
}
|
||||
|
||||
@@ -28,11 +28,11 @@
|
||||
select id,name from test order by ${orderby,jdbcType=VARCHAR} desc
|
||||
</select>
|
||||
|
||||
<select id="bad3" parameterType="java.lang.String" resultMap="BaseResultMap">
|
||||
<select id="bad3" parameterType="Test" resultMap="BaseResultMap">
|
||||
select id,name from test where name in ${name}
|
||||
</select>
|
||||
|
||||
<update id="bad4" parameterType="com.example.demo.entity.Test">
|
||||
<update id="bad4" parameterType="Test">
|
||||
update test
|
||||
<set>
|
||||
<if test="test.pass != null">
|
||||
@@ -48,7 +48,7 @@
|
||||
insert into test (name, pass)
|
||||
<trim prefix="values (" suffix=")" suffixOverrides=",">
|
||||
<if test="name != null">
|
||||
name = ${name},
|
||||
name = ${name,jdbcType=VARCHAR},
|
||||
</if>
|
||||
<if test="pass != null">
|
||||
pass = ${pass},
|
||||
@@ -56,7 +56,25 @@
|
||||
</trim>
|
||||
</insert>
|
||||
|
||||
<select id="bad6" resultMap="BaseResultMap">
|
||||
select id,name from test where name like '%${name}%'
|
||||
</select>
|
||||
|
||||
<select id="bad7" resultMap="BaseResultMap">
|
||||
select id,name from test where name in
|
||||
<foreach collection="list" item="value" open="(" close=")" separator=",">
|
||||
${value}
|
||||
</foreach>
|
||||
</select>
|
||||
|
||||
<select id="bad8" resultMap="BaseResultMap">
|
||||
select id,name from test where name in
|
||||
<foreach collection="array" item="value" open="(" close=")" separator=",">
|
||||
${value}
|
||||
</foreach>
|
||||
</select>
|
||||
|
||||
<select id="good1" parameterType="java.lang.Integer" resultMap="BaseResultMap">
|
||||
select id,name from test where id = ${id}
|
||||
</select>
|
||||
</mapper>
|
||||
</mapper>
|
||||
Reference in New Issue
Block a user