From 9a84abf2590a1bca4e5e04065759be40b4c62e9d Mon Sep 17 00:00:00 2001
From: Remco Vermeulen <rvermeulen@users.noreply.github.com>
Date: Thu, 9 Jul 2020 12:32:17 +0200
Subject: [PATCH] Generalize QueryInjectionSink

Extends from the more general DataFlow::Node instead of
DataFlow::ExprNode
---
 java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql         | 2 +-
 java/ql/src/semmle/code/java/security/QueryInjection.qll | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
index e721cb7fba6..1f92b7acbbc 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura
 from QueryInjectionSink query, Expr uncontrolled
 where
   (
-    builtFromUncontrolledConcat(query.getExpr(), uncontrolled)
+    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
     or
     exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
       uncontrolledStringBuilderQuery(sbv, uncontrolled) and
diff --git a/java/ql/src/semmle/code/java/security/QueryInjection.qll b/java/ql/src/semmle/code/java/security/QueryInjection.qll
index 9c906e45e97..2035aacb344 100644
--- a/java/ql/src/semmle/code/java/security/QueryInjection.qll
+++ b/java/ql/src/semmle/code/java/security/QueryInjection.qll
@@ -10,16 +10,16 @@ import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.frameworks.Hibernate
 
 /** A sink for database query language injection vulnerabilities. */
-abstract class QueryInjectionSink extends DataFlow::ExprNode { }
+abstract class QueryInjectionSink extends DataFlow::Node { }
 
 /** A sink for SQL injection vulnerabilities. */
 private class SqlInjectionSink extends QueryInjectionSink {
   SqlInjectionSink() {
-    this.getExpr() instanceof SqlExpr
+    this.asExpr() instanceof SqlExpr
     or
     exists(MethodAccess ma, Method m, int index |
       ma.getMethod() = m and
-      ma.getArgument(index) = this.getExpr()
+      ma.getArgument(index) = this.asExpr()
     |
       index = m.(SQLiteRunner).sqlIndex()
       or
@@ -38,7 +38,7 @@ private class SqlInjectionSink extends QueryInjectionSink {
 private class PersistenceQueryInjectionSink extends QueryInjectionSink {
   PersistenceQueryInjectionSink() {
     // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
-    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
+    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
       call.getMethod() = em.getACreateQueryMethod() or
       call.getMethod() = em.getACreateNativeQueryMethod()
       // note: `createNamedQuery` is safe, as it takes only the query name,