Add SqlConcatenatedQuery

2026-04-30 11:15:13 +02:00 · 2023-04-03 15:49:34 -04:00
parent 1af6d5f7b3
commit c15ce27957
3 changed files with 36 additions and 22 deletions
--- a/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
+++ b/java/ql/lib/change-notes/2023-03-30-add-libraries-for-query-configurations.md
@@ -2,3 +2,4 @@
 category: minorAnalysis
 ---
 * Added the `TaintedPermissionQuery.qll` library to provide the `TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
+* Added the `SqlConcatenatedQuery.qll` library to provide the `UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
--- a/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll
@@ -0,0 +1,34 @@
+/** Provides classes and modules to reason about SqlInjection vulnerabilities from string concatentation. */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+private import semmle.code.java.security.SqlConcatenatedLib
+private import semmle.code.java.security.SqlInjectionQuery
+
+private class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
+  UncontrolledStringBuilderSource() {
+    exists(StringBuilderVar sbv |
+      uncontrolledStringBuilderQuery(sbv, _) and
+      this.getExpr() = sbv.getToStringCall()
+    )
+  }
+}
+
+/**
+ * A taint-tracking configuration for reasoning about uncontrolled string builders.
+ */
+module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
+  }
+}
+
+/**
+ * Taint-tracking flow for uncontrolled string builders that are used in a SQL query.
+ */
+module UncontrolledStringBuilderSourceFlow =
+  TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
--- a/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
@@ -15,28 +15,7 @@
 import java
 import semmle.code.java.security.SqlConcatenatedLib
 import semmle.code.java.security.SqlInjectionQuery
-
-class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
-  UncontrolledStringBuilderSource() {
-    exists(StringBuilderVar sbv |
-      uncontrolledStringBuilderQuery(sbv, _) and
-      this.getExpr() = sbv.getToStringCall()
-    )
-  }
-}
-
-module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
-
-  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
-
-  predicate isBarrier(DataFlow::Node node) {
-    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
-  }
-}
-
-module UncontrolledStringBuilderSourceFlow =
-  TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
+import semmle.code.java.security.SqlConcatenatedQuery

 from QueryInjectionSink query, Expr uncontrolled
 where