Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests

Add Hibernate SQL injection sink models and coverage
2026-05-14 11:19:27 +02:00 · 2026-04-24 09:36:46 +01:00
parent ae89b2ee79 083909ee3b
commit 9fbe447428
10 changed files with 84 additions and 1 deletions
--- a/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
+++ b/java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.
--- a/java/ql/lib/ext/org.hibernate.query.model.yml
+++ b/java/ql/lib/ext/org.hibernate.query.model.yml
@@ -4,5 +4,8 @@ extensions:
      extensible: sinkModel
    data:
      - ["org.hibernate.query", "QueryProducer", True, "createNativeQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createNativeMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["org.hibernate.query", "QueryProducer", True, "createQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createSelectionQuery", "", "", "Argument[0]", "sql-injection", "manual"]
      - ["org.hibernate.query", "QueryProducer", True, "createSQLQuery", "", "", "Argument[0]", "sql-injection", "manual"]
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java
@@ -0,0 +1,25 @@
+import org.hibernate.Session;
+import org.hibernate.SharedSessionContract;
+import org.hibernate.query.QueryProducer;
+
+public class Hibernate {
+
+  public static String source() { return null; }
+
+  public static void test(
+      Session session, SharedSessionContract sharedSessionContract, QueryProducer queryProducer) {
+    session.createQuery(source()); // $ sqlInjection
+    session.createSQLQuery(source()); // $ sqlInjection
+
+    sharedSessionContract.createQuery(source()); // $ sqlInjection
+    sharedSessionContract.createSQLQuery(source()); // $ sqlInjection
+
+    queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
+    queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createMutationQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
+    queryProducer.createSQLQuery(source()); // $ sqlInjection
+  }
+}
--- a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
+++ b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0:${testdir}/../../../../../stubs/hibernate-5.x --release 21
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/Session.java
@@ -0,0 +1,10 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+
+public interface Session extends SharedSessionContract {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/SharedSessionContract.java
@@ -0,0 +1,11 @@
+package org.hibernate;
+
+import org.hibernate.query.Query;
+import org.hibernate.query.QueryProducer;
+
+public interface SharedSessionContract extends QueryProducer {
+
+  Query createQuery(String queryString);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/MutationQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface MutationQuery {
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/Query.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface Query {
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/QueryProducer.java
@@ -0,0 +1,18 @@
+package org.hibernate.query;
+
+public interface QueryProducer {
+
+  Query createNativeQuery(String sqlString);
+
+  MutationQuery createNativeMutationQuery(String sqlString);
+
+  Query createQuery(String queryString);
+
+  MutationQuery createMutationQuery(String hqlString);
+
+  SelectionQuery<?> createSelectionQuery(String hqlString);
+
+  <R> SelectionQuery<R> createSelectionQuery(String hqlString, Class<R> resultType);
+
+  Query createSQLQuery(String queryString);
+}
--- a/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
+++ b/java/ql/test/stubs/hibernate-5.x/org/hibernate/query/SelectionQuery.java
@@ -0,0 +1,4 @@
+package org.hibernate.query;
+
+public interface SelectionQuery<R> {
+}