hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-17 21:14:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Java: handle MyBatis annotations for insert/update/delete

Browse Source
This commit is contained in:
Jami Cogswell
2024-12-03 19:10:26 -05:00
parent df77d4914f
commit 97aaf4c011
7 changed files with 98 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
View File

@@ -36,9 +36,9 @@ private class SpringCsrfUnprotectedMethod extends CsrfUnprotectedMethod instance
/** A method that updates a database. */
abstract class DatabaseUpdateMethod extends Method { }
/** A MyBatis Mapper method that updates a database. */
private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {
MyBatisMapperDatabaseUpdateMethod() {
/** A MyBatis method that updates a database. */
private class MyBatisDatabaseUpdateMethod extends DatabaseUpdateMethod {
MyBatisDatabaseUpdateMethod() {
exists(MyBatisMapperSqlOperation mapperXml |
(
mapperXml instanceof MyBatisMapperInsert or
@@ -47,6 +47,14 @@ private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {
) and
this = mapperXml.getMapperMethod()
)
or
exists(MyBatisSqlOperationAnnotationMethod m | this = m |
not m.getAnAnnotation().getType().hasQualifiedName("org.apache.ibatis.annotations", "Select")
)
or
exists(Method m | this = m |
m.hasAnnotation("org.apache.ibatis.annotations", ["Delete", "Update", "Insert"] + "Provider")
)
}
}