Add SqlTaintedLocalQuery

2026-04-30 11:15:13 +02:00 · 2023-04-05 12:02:24 -04:00
parent a0f7575b34
commit 91b3533035
3 changed files with 36 additions and 22 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -8,4 +8,5 @@ category: minorAnalysis
 * Added the `ExternallyControlledFormatStringLocalQuery.qll` library to provide the `ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
 * Added the `InsecureCookieQuery.qll` library to provide the `SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
 * Added the `ExecTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
-* Added the `StackTraceExposureQuery.qll` library to provide the `printsStackExternally`, `stringifiedStackFlowsExternally`, and `getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
+* Added the `StackTraceExposureQuery.qll` library to provide the `printsStackExternally`, `stringifiedStackFlowsExternally`, and `getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
+* Added the `SqlTaintedLocalQuery.qll` library to provide the `LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
--- a/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlTaintedLocalQuery.qll
@@ -0,0 +1,32 @@
+/**
+ * Provides a taint-tracking configuration for reasoning about local user input
+ * that is used in a SQL query.
+ */
+
+import semmle.code.java.Expr
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.security.SqlInjectionQuery
+
+/**
+ * A taint-tracking configuration for reasoning about local user input that is
+ * used in a SQL query.
+ */
+module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
+  }
+}
+
+/**
+ * Taint-tracking flow for local user input that is used in a SQL query.
+ */
+module LocalUserInputToQueryInjectionFlow =
+  TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -12,27 +12,8 @@
 *       external/cwe/cwe-564
 */

-import semmle.code.java.Expr
-import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.security.SqlInjectionQuery
-
-module LocalUserInputToQueryInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof LocalUserInput }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
-  }
-}
-
-module LocalUserInputToQueryInjectionFlow =
-  TaintTracking::Global<LocalUserInputToQueryInjectionFlowConfig>;
-
+import java
+import semmle.code.java.security.SqlTaintedLocalQuery
 import LocalUserInputToQueryInjectionFlow::PathGraph

 from