Merge pull request #3926 from rvermeulen/java-importable-cwe-089

Java: Move `QueryInjectionSink` into importable library
2026-04-29 10:45:15 +02:00 · 2020-07-09 16:00:56 +02:00
parent 2fa54552f0 7428a8cd95
commit 99a4f8fd0b
3 changed files with 51 additions and 45 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -1,50 +1,8 @@
 /** Definitions used by the queries for database query injection. */

-import semmle.code.java.Expr
+import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.android.SQLite
-import semmle.code.java.frameworks.javaee.Persistence
-import semmle.code.java.frameworks.SpringJdbc
-import semmle.code.java.frameworks.MyBatis
-import semmle.code.java.frameworks.Hibernate
-
-/** A sink for database query language injection vulnerabilities. */
-abstract class QueryInjectionSink extends DataFlow::ExprNode { }
-
-/** A sink for SQL injection vulnerabilities. */
-class SqlInjectionSink extends QueryInjectionSink {
-  SqlInjectionSink() {
-    this.getExpr() instanceof SqlExpr
-    or
-    exists(MethodAccess ma, Method m, int index |
-      ma.getMethod() = m and
-      ma.getArgument(index) = this.getExpr()
-    |
-      index = m.(SQLiteRunner).sqlIndex()
-      or
-      m instanceof BatchUpdateVarargsMethod
-      or
-      index = 0 and jdbcSqlMethod(m)
-      or
-      index = 0 and mybatisSqlMethod(m)
-      or
-      index = 0 and hibernateSqlMethod(m)
-    )
-  }
-}
-
-/** A sink for Java Persistence Query Language injection vulnerabilities. */
-class PersistenceQueryInjectionSink extends QueryInjectionSink {
-  PersistenceQueryInjectionSink() {
-    // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
-    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
-      call.getMethod() = em.getACreateQueryMethod() or
-      call.getMethod() = em.getACreateNativeQueryMethod()
-      // note: `createNamedQuery` is safe, as it takes only the query name,
-      // and named queries can only be constructed using constants as the query text
-    )
-  }
-}
+import semmle.code.java.security.QueryInjection

 private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
  QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura
 from QueryInjectionSink query, Expr uncontrolled
 where
  (
-    builtFromUncontrolledConcat(query.getExpr(), uncontrolled)
+    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
    or
    exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
      uncontrolledStringBuilderQuery(sbv, uncontrolled) and
--- a/java/ql/src/semmle/code/java/security/QueryInjection.qll
+++ b/java/ql/src/semmle/code/java/security/QueryInjection.qll
@@ -0,0 +1,48 @@
+/** Provides classes to reason about database query language injection vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Jdbc
+import semmle.code.java.frameworks.android.SQLite
+import semmle.code.java.frameworks.javaee.Persistence
+import semmle.code.java.frameworks.SpringJdbc
+import semmle.code.java.frameworks.MyBatis
+import semmle.code.java.frameworks.Hibernate
+
+/** A sink for database query language injection vulnerabilities. */
+abstract class QueryInjectionSink extends DataFlow::Node { }
+
+/** A sink for SQL injection vulnerabilities. */
+private class SqlInjectionSink extends QueryInjectionSink {
+  SqlInjectionSink() {
+    this.asExpr() instanceof SqlExpr
+    or
+    exists(MethodAccess ma, Method m, int index |
+      ma.getMethod() = m and
+      ma.getArgument(index) = this.asExpr()
+    |
+      index = m.(SQLiteRunner).sqlIndex()
+      or
+      m instanceof BatchUpdateVarargsMethod
+      or
+      index = 0 and jdbcSqlMethod(m)
+      or
+      index = 0 and mybatisSqlMethod(m)
+      or
+      index = 0 and hibernateSqlMethod(m)
+    )
+  }
+}
+
+/** A sink for Java Persistence Query Language injection vulnerabilities. */
+private class PersistenceQueryInjectionSink extends QueryInjectionSink {
+  PersistenceQueryInjectionSink() {
+    // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
+    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
+      call.getMethod() = em.getACreateQueryMethod() or
+      call.getMethod() = em.getACreateNativeQueryMethod()
+      // note: `createNamedQuery` is safe, as it takes only the query name,
+      // and named queries can only be constructed using constants as the query text
+    )
+  }
+}