[DIFF-INFORMED] Java: SqlConcatenated

https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql#L27
2026-03-01 21:34:50 +01:00 · 2025-07-16 15:50:02 +02:00
parent 45b627df1d
commit b3b139bb02
1 changed files with 9 additions and 0 deletions
--- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
@@ -24,6 +24,15 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }

  predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node source) {
+    exists(Expr uncontrolled, StringBuilderVar sbv | result = uncontrolled.getLocation() |
+      uncontrolledStringBuilderQuery(sbv, uncontrolled) and
+      source = DataFlow::exprNode(sbv.getToStringCall())
+    )
+  }
 }

 /**