From fa8b278332f4d1fb22e9bdd8c6c361678666ae3d Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 30 Jun 2020 11:57:17 -0400 Subject: [PATCH 1/2] Add jOOQ methods as SQL Injection Sinks --- .../Security/CWE/CWE-089/SqlInjectionLib.qll | 3 +++ .../src/semmle/code/java/frameworks/jOOQ.qll | 25 +++++++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 java/ql/src/semmle/code/java/frameworks/jOOQ.qll diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll index 2572d91cb99..215a2c78759 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll +++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll @@ -7,6 +7,7 @@ import semmle.code.java.frameworks.javaee.Persistence import semmle.code.java.frameworks.SpringJdbc import semmle.code.java.frameworks.MyBatis import semmle.code.java.frameworks.Hibernate +import semmle.code.java.frameworks.jOOQ /** A sink for database query language injection vulnerabilities. */ abstract class QueryInjectionSink extends DataFlow::ExprNode { } @@ -29,6 +30,8 @@ class SqlInjectionSink extends QueryInjectionSink { index = 0 and mybatisSqlMethod(m) or index = 0 and hibernateSqlMethod(m) + or + index = 0 and jOOQSqlMethod(m) ) } } diff --git a/java/ql/src/semmle/code/java/frameworks/jOOQ.qll b/java/ql/src/semmle/code/java/frameworks/jOOQ.qll new file mode 100644 index 00000000000..2eb1284ab70 --- /dev/null +++ b/java/ql/src/semmle/code/java/frameworks/jOOQ.qll @@ -0,0 +1,25 @@ +/** + * Provides classes and predicates for working with the jOOQ framework. + */ + +import java + +/** + * Methods annotated with this allow for generation of "plain SQL" + * and is prone to SQL injection. + * https://www.jooq.org/doc/current/manual/sql-building/plain-sql/ + */ +private class PlainSQLType extends Annotation { + PlainSQLType() { + this.getType().hasQualifiedName("org.jooq", "PlainSQL") + } +} + +/** + * Holds if `m` is a jOOQ SQL method taking an SQL string as its + * first argument. + */ +predicate jOOQSqlMethod(Method m) { + m.getAnAnnotation() instanceof PlainSQLType and + m.getParameterType(0) instanceof TypeString +} From 341ab2ee0e123717b711887344698ecfaecf4b5b Mon Sep 17 00:00:00 2001 From: Jonathan Leitschuh Date: Tue, 18 Aug 2020 13:20:56 -0400 Subject: [PATCH 2/2] Fix formatting on jOOQ.qll --- java/ql/src/semmle/code/java/frameworks/jOOQ.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/java/ql/src/semmle/code/java/frameworks/jOOQ.qll b/java/ql/src/semmle/code/java/frameworks/jOOQ.qll index 2eb1284ab70..5f473a18f33 100644 --- a/java/ql/src/semmle/code/java/frameworks/jOOQ.qll +++ b/java/ql/src/semmle/code/java/frameworks/jOOQ.qll @@ -10,9 +10,7 @@ import java * https://www.jooq.org/doc/current/manual/sql-building/plain-sql/ */ private class PlainSQLType extends Annotation { - PlainSQLType() { - this.getType().hasQualifiedName("org.jooq", "PlainSQL") - } + PlainSQLType() { this.getType().hasQualifiedName("org.jooq", "PlainSQL") } } /**