hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 09:15:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add SqlConcatenatedQuery

Browse Source
This commit is contained in:
Ed Minnix
2023-04-03 15:49:34 -04:00
parent 1af6d5f7b3
commit c15ce27957
3 changed files with 36 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
View File

@@ -15,28 +15,7 @@
import java
import semmle.code.java.security.SqlConcatenatedLib
import semmle.code.java.security.SqlInjectionQuery
class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
UncontrolledStringBuilderSource() {
exists(StringBuilderVar sbv |
uncontrolledStringBuilderQuery(sbv, _) and
this.getExpr() = sbv.getToStringCall()
)
}
}
module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
predicate isBarrier(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
}
}
module UncontrolledStringBuilderSourceFlow =
TaintTracking::Global<UncontrolledStringBuilderSourceFlowConfig>;
import semmle.code.java.security.SqlConcatenatedQuery
from QueryInjectionSink query, Expr uncontrolled
where