diff --git a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index 245c9146b2d..88e811f16be 100644 --- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -11,9 +11,11 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.QueryInjection /** + * DEPRECATED: Use `QueryInjectionFlow` instead. + * * A taint-tracking configuration for unvalidated user input that is used in SQL queries. */ -class QueryInjectionFlowConfig extends TaintTracking::Configuration { +deprecated class QueryInjectionFlowConfig extends TaintTracking::Configuration { QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" } override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } @@ -31,12 +33,34 @@ class QueryInjectionFlowConfig extends TaintTracking::Configuration { } } +/** + * A taint-tracking configuration for unvalidated user input that is used in SQL queries. + */ +private module QueryInjectionFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink } + + predicate isBarrier(DataFlow::Node node) { + node.getType() instanceof PrimitiveType or + node.getType() instanceof BoxedType or + node.getType() instanceof NumberType + } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + any(AdditionalQueryInjectionTaintStep s).step(node1, node2) + } +} + +/** Tracks flow of unvalidated user input that is used in SQL queries. */ +module QueryInjectionFlow = TaintTracking::Make; + /** * Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it * can be excluded from `SqlConcatenated.ql` to avoid overlapping results. */ predicate queryTaintedBy( - QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink + QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink ) { - exists(QueryInjectionFlowConfig conf | conf.hasFlowPath(source, sink) and sink.getNode() = query) + QueryInjectionFlow::hasFlowPath(source, sink) and sink.getNode() = query } diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 963a927bf93..628d469bac7 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -15,8 +15,9 @@ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.SqlInjectionQuery -import DataFlow::PathGraph +import QueryInjectionFlow::PathGraph -from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink +from + QueryInjectionSink query, QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink where queryTaintedBy(query, source, sink) select query, source, sink, "This query depends on a $@.", source.getNode(), "user-provided value"