Java: add a class for PreparedStatement methods that update a database

java/ql/lib/semmle/code/java/frameworks/Jdbc.qll

@@ -34,3 +34,19 @@ class ResultSetGetStringMethod extends Method {
     this.getReturnType() instanceof TypeString
   }
 }
+
+/** A method with the name `executeUpdate` declared in `java.sql.PreparedStatement`. */
+class PreparedStatementExecuteUpdateMethod extends Method {
+  PreparedStatementExecuteUpdateMethod() {
+    this.getDeclaringType() instanceof TypePreparedStatement and
+    this.hasName("executeUpdate")
+  }
+}
+
+/** A method with the name `executeLargeUpdate` declared in `java.sql.PreparedStatement`. */
+class PreparedStatementExecuteLargeUpdateMethod extends Method {
+  PreparedStatementExecuteLargeUpdateMethod() {
+    this.getDeclaringType() instanceof TypePreparedStatement and
+    this.hasName("executeLargeUpdate")
+  }
+}

java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll

@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.MyBatis
+private import semmle.code.java.frameworks.Jdbc
 
 /** A method that is not protected from CSRF by default. */
 abstract class CsrfUnprotectedMethod extends Method { }
@@ -45,3 +46,11 @@ private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {
     )
   }
 }
+
+/** A method declared in `java.sql.PreparedStatement` that updates a database. */
+private class PreparedStatementDatabaseUpdateMethod extends DatabaseUpdateMethod {
+  PreparedStatementDatabaseUpdateMethod() {
+    this instanceof PreparedStatementExecuteUpdateMethod or
+    this instanceof PreparedStatementExecuteLargeUpdateMethod
+  }
+}