Java: Opt-in the SQL injection query to use threat model flow sources.

2026-04-27 17:55:19 +02:00 · 2023-10-04 10:51:07 +02:00
parent 5fd6dc3b87
commit f0fb065446
1 changed files with 1 additions and 1 deletions
--- a/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
@@ -37,7 +37,7 @@ deprecated class QueryInjectionFlowConfig extends TaintTracking::Configuration {
 * A taint-tracking configuration for unvalidated user input that is used in SQL queries.
 */
 module QueryInjectionFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
+  predicate isSource(DataFlow::Node src) { src instanceof ThreatModelFlowSource }

  predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }