Add basic test for SQL injection vs Jakarta Persistence

2026-04-26 17:25:19 +02:00 · 2025-04-01 17:12:35 +01:00
parent 5d37ccfa90
commit 3c555fce11
4 changed files with 28 additions and 1 deletions
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/JakartaPersistence.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/JakartaPersistence.java
@@ -0,0 +1,13 @@
+import jakarta.persistence.EntityManager;
+
+public class JakartaPersistence {
+
+  public static String source() { return null; }
+
+  public static void test(EntityManager entityManager) {
+
+    entityManager.createNativeQuery(source()); // $ sqlInjection
+
+  }
+
+}
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21