mirror of
https://github.com/github/codeql.git
synced 2026-03-01 05:13:41 +01:00
Generalize QueryInjectionSink
Extends from the more general DataFlow::Node instead of DataFlow::ExprNode
This commit is contained in:
@@ -10,16 +10,16 @@ import semmle.code.java.frameworks.MyBatis
|
||||
import semmle.code.java.frameworks.Hibernate
|
||||
|
||||
/** A sink for database query language injection vulnerabilities. */
|
||||
abstract class QueryInjectionSink extends DataFlow::ExprNode { }
|
||||
abstract class QueryInjectionSink extends DataFlow::Node { }
|
||||
|
||||
/** A sink for SQL injection vulnerabilities. */
|
||||
private class SqlInjectionSink extends QueryInjectionSink {
|
||||
SqlInjectionSink() {
|
||||
this.getExpr() instanceof SqlExpr
|
||||
this.asExpr() instanceof SqlExpr
|
||||
or
|
||||
exists(MethodAccess ma, Method m, int index |
|
||||
ma.getMethod() = m and
|
||||
ma.getArgument(index) = this.getExpr()
|
||||
ma.getArgument(index) = this.asExpr()
|
||||
|
|
||||
index = m.(SQLiteRunner).sqlIndex()
|
||||
or
|
||||
@@ -38,7 +38,7 @@ private class SqlInjectionSink extends QueryInjectionSink {
|
||||
private class PersistenceQueryInjectionSink extends QueryInjectionSink {
|
||||
PersistenceQueryInjectionSink() {
|
||||
// the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
|
||||
exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
|
||||
exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
|
||||
call.getMethod() = em.getACreateQueryMethod() or
|
||||
call.getMethod() = em.getACreateNativeQueryMethod()
|
||||
// note: `createNamedQuery` is safe, as it takes only the query name,
|
||||
|
||||
Reference in New Issue
Block a user