Merge pull request #2725 from aschackmull/java/sqlinjection-number-barrier

Java: Add java.lang.Number as a sanitizer for SQL injection.
2025-12-22 03:36:30 +01:00 · 2020-01-30 18:25:24 -05:00
parent b542b08c95 2a0a568cbb
commit 7ca7bdfc46
3 changed files with 13 additions and 5 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -54,7 +54,9 @@ private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }

  override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
  }
 }

--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -101,6 +101,16 @@ class TypeMath extends Class {
  TypeMath() { this.hasQualifiedName("java.lang", "Math") }
 }

+/** The class `java.lang.Number`. */
+class TypeNumber extends RefType {
+  TypeNumber() { this.hasQualifiedName("java.lang", "Number") }
+}
+
+/** A (reflexive, transitive) subtype of `java.lang.Number`. */
+class NumberType extends RefType {
+  NumberType() { exists(TypeNumber number | hasSubtype*(number, this)) }
+}
+
 /** A numeric type, including both primitive and boxed types. */
 class NumericType extends Type {
  NumericType() {
--- a/java/ql/src/semmle/code/java/security/Random.qll
+++ b/java/ql/src/semmle/code/java/security/Random.qll
@@ -36,10 +36,6 @@ private class PredictableSeedFlowConfiguration extends DataFlow::Configuration {
  }
 }

-private class TypeNumber extends Class {
-  TypeNumber() { this.getQualifiedName() = "java.lang.Number" }
-}
-
 private predicate predictableCalcStep(Expr e1, Expr e2) {
  e2.(BinaryExpr).hasOperands(e1, any(PredictableSeedExpr p))
  or