From a1675775515e9ea1294a507b2c4e8063b16d9bea Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Thu, 30 Jan 2020 12:01:36 +0100
Subject: [PATCH] Java: Add java.lang.Number as a sanitizer for SQL injection.

---
 java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll |  4 +++-
 java/ql/src/semmle/code/java/JDK.qll                 | 10 ++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
index 3d2e2b91434..2572d91cb99 100644
--- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -54,7 +54,9 @@ private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
 
   override predicate isSanitizer(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
   }
 }
 
diff --git a/java/ql/src/semmle/code/java/JDK.qll b/java/ql/src/semmle/code/java/JDK.qll
index 37f8f359c80..d9a1a15e5d3 100644
--- a/java/ql/src/semmle/code/java/JDK.qll
+++ b/java/ql/src/semmle/code/java/JDK.qll
@@ -101,6 +101,16 @@ class TypeMath extends Class {
   TypeMath() { this.hasQualifiedName("java.lang", "Math") }
 }
 
+/** The class `java.lang.Number`. */
+class TypeNumber extends RefType {
+  TypeNumber() { this.hasQualifiedName("java.lang", "Number") }
+}
+
+/** A (reflexive, transitive) subtype of `java.lang.Number`. */
+class NumberType extends RefType {
+  NumberType() { exists(TypeNumber number | hasSubtype*(number, this)) }
+}
+
 /** A numeric type, including both primitive and boxed types. */
 class NumericType extends Type {
   NumericType() {