From 596c4fcac354018f12174416bc37a9df5c25acbc Mon Sep 17 00:00:00 2001 From: Chris Smowton Date: Thu, 8 Dec 2022 14:02:25 +0000 Subject: [PATCH] Add change note re: MyBatis improvement --- java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md diff --git a/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md b/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md new file mode 100644 index 00000000000..b7fb197c23e --- /dev/null +++ b/java/ql/lib/change-notes/2022-12-08-mybatis-parameters.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* We now detect SQL injection via the MyBatis library when the `@Param` annotation is not used, but the unannotated parameter is referred to by name regardless. This is an undocumented feature of the MyBatis library; the documentation suggests either `@Param` should be used, or a parameter should be referred to by position, e.g. `{arg0}`.