Merge pull request #3542 from porcupineyhairs/mongoJava

Java : add MongoDB injection sinks
2025-12-22 03:36:30 +01:00 · 2020-09-01 16:19:17 +02:00
parent 311e62f21d 441825919c
commit cc61e6117e
15 changed files with 206 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -4,6 +4,22 @@ import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.security.QueryInjection

+/** A sink for MongoDB injection vulnerabilities. */
+class MongoDbInjectionSink extends QueryInjectionSink {
+  MongoDbInjectionSink() {
+    exists(MethodAccess call |
+      call.getMethod().getDeclaringType().hasQualifiedName("com.mongodb", "BasicDBObject") and
+      call.getMethod().hasName("parse") and
+      this.asExpr() = call.getArgument(0)
+    )
+    or
+    exists(CastExpr c |
+      c.getExpr() = this.asExpr() and
+      c.getTypeExpr().getType().(RefType).hasQualifiedName("com.mongodb", "DBObject")
+    )
+  }
+}
+
 private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
  QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }

@@ -16,6 +32,10 @@ private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
    node.getType() instanceof BoxedType or
    node.getType() instanceof NumberType
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    mongoJsonStep(node1, node2)
+  }
 }

 /**
@@ -27,3 +47,12 @@ predicate queryTaintedBy(
 ) {
  exists(QueryInjectionFlowConfig conf | conf.hasFlowPath(source, sink) and sink.getNode() = query)
 }
+
+predicate mongoJsonStep(DataFlow::Node node1, DataFlow::Node node2) {
+  exists(MethodAccess ma |
+    ma.getMethod().getDeclaringType().hasQualifiedName("com.mongodb.util", "JSON") and
+    ma.getMethod().hasName("parse") and
+    ma.getArgument(0) = node1.asExpr() and
+    ma = node2.asExpr()
+  )
+}
--- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
+++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql
@@ -25,6 +25,10 @@ class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configurat
  override predicate isSanitizer(DataFlow::Node node) {
    node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    mongoJsonStep(node1, node2)
+  }
 }

 from