Generalize QueryInjectionSink

Extends from the more general DataFlow::Node instead of DataFlow::ExprNode
2026-03-01 05:13:41 +01:00 · 2020-07-09 12:32:17 +02:00
parent c01844a39e
commit 9a84abf259
2 changed files with 5 additions and 5 deletions
--- a/java/ql/src/semmle/code/java/security/QueryInjection.qll
+++ b/java/ql/src/semmle/code/java/security/QueryInjection.qll
@@ -10,16 +10,16 @@ import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.frameworks.Hibernate

 /** A sink for database query language injection vulnerabilities. */
-abstract class QueryInjectionSink extends DataFlow::ExprNode { }
+abstract class QueryInjectionSink extends DataFlow::Node { }

 /** A sink for SQL injection vulnerabilities. */
 private class SqlInjectionSink extends QueryInjectionSink {
  SqlInjectionSink() {
-    this.getExpr() instanceof SqlExpr
+    this.asExpr() instanceof SqlExpr
    or
    exists(MethodAccess ma, Method m, int index |
      ma.getMethod() = m and
-      ma.getArgument(index) = this.getExpr()
+      ma.getArgument(index) = this.asExpr()
    |
      index = m.(SQLiteRunner).sqlIndex()
      or
@@ -38,7 +38,7 @@ private class SqlInjectionSink extends QueryInjectionSink {
 private class PersistenceQueryInjectionSink extends QueryInjectionSink {
  PersistenceQueryInjectionSink() {
    // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
-    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
+    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
      call.getMethod() = em.getACreateQueryMethod() or
      call.getMethod() = em.getACreateNativeQueryMethod()
      // note: `createNamedQuery` is safe, as it takes only the query name,