Java: improve naming and description of SqlUnescaped.ql

Since the main thing it's objecting to is concatenation not lack of escaping (in particular it doesn't look for escaping sanitizers), rename and re-describe it accordingly.
2026-04-29 18:55:14 +02:00 · 2022-12-16 17:56:22 +00:00
parent 06ea249997
commit 45c732a6f9
10 changed files with 24 additions and 24 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.java
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.java
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.qhelp
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.qhelp
@@ -21,18 +21,18 @@ it enough to cause the SQL query to fail to run.</p>
 <p>In the following example, the code runs a simple SQL query in two different ways.</p>

 <p>The first way involves building a query, <code>query1</code>, by concatenating the
-result of <code>getCategory</code> with some string literals. The result of 
+result of <code>getCategory</code> with some string literals. The result of
 <code>getCategory</code> can include special characters, or
 it might be refactored later so that it may return something that contains special characters.</p>

-<p>The second way, which shows good practice, involves building a query, <code>query2</code>, with 
+<p>The second way, which shows good practice, involves building a query, <code>query2</code>, with
 a single string literal that includes a wildcard (<code>?</code>). The wildcard
 is then given a value by calling <code>setString</code>. This
 version is immune to injection attacks, because any special characters
 in the result of <code>getCategory</code> are not given any special
 treatment.</p>

-<sample src="SqlUnescaped.java" />
+<sample src="SqlConcatenated.java" />

 </example>
 <references>
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
@@ -1,7 +1,7 @@
 /**
- * @name Query built without neutralizing special characters
- * @description Building a SQL or Java Persistence query without escaping or otherwise neutralizing any special
- *              characters is vulnerable to insertion of malicious code.
+ * @name Query built by concatenation with a possibly-untrusted string
+ * @description Building a SQL or Java Persistence query by concatenating a possibly-untrusted string
+ *              is vulnerable to insertion of malicious code.
 * @kind problem
 * @problem.severity error
 * @security-severity 8.8
@@ -13,7 +13,7 @@
 */

 import java
-import semmle.code.java.security.SqlUnescapedLib
+import semmle.code.java.security.SqlConcatenatedLib
 import semmle.code.java.security.SqlInjectionQuery

 class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
@@ -27,7 +27,7 @@ class UncontrolledStringBuilderSource extends DataFlow::ExprNode {

 class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration {
  UncontrolledStringBuilderSourceFlowConfig() {
-    this = "SqlUnescaped::UncontrolledStringBuilderSourceFlowConfig"
+    this = "SqlConcatenated::UncontrolledStringBuilderSourceFlowConfig"
  }

  override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
@@ -50,5 +50,5 @@ where
    )
  ) and
  not queryTaintedBy(query, _, _)
-select query, "Query might not neutralize special characters in $@.", uncontrolled,
+select query, "Query built by concatenation with $@, which may be untrusted.", uncontrolled,
  "this expression"