Add jOOQ methods as SQL Injection Sinks

2026-04-30 11:15:13 +02:00 · 2020-06-30 11:57:17 -04:00
parent d4c5887122
commit fa8b278332
2 changed files with 28 additions and 0 deletions
--- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
+++ b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -7,6 +7,7 @@ import semmle.code.java.frameworks.javaee.Persistence
 import semmle.code.java.frameworks.SpringJdbc
 import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.frameworks.Hibernate
+import semmle.code.java.frameworks.jOOQ

 /** A sink for database query language injection vulnerabilities. */
 abstract class QueryInjectionSink extends DataFlow::ExprNode { }
@@ -29,6 +30,8 @@ class SqlInjectionSink extends QueryInjectionSink {
      index = 0 and mybatisSqlMethod(m)
      or
      index = 0 and hibernateSqlMethod(m)
+      or
+      index = 0 and jOOQSqlMethod(m)
    )
  }
 }
--- a/java/ql/src/semmle/code/java/frameworks/jOOQ.qll
+++ b/java/ql/src/semmle/code/java/frameworks/jOOQ.qll
@@ -0,0 +1,25 @@
+/**
+ * Provides classes and predicates for working with the jOOQ framework.
+ */
+
+import java
+
+/**
+ * Methods annotated with this allow for generation of "plain SQL"
+ * and is prone to SQL injection.
+ * https://www.jooq.org/doc/current/manual/sql-building/plain-sql/
+ */
+private class PlainSQLType extends Annotation {
+  PlainSQLType() {
+    this.getType().hasQualifiedName("org.jooq", "PlainSQL")
+  }
+}
+
+/**
+ * Holds if `m` is a jOOQ SQL method taking an SQL string as its
+ * first argument.
+ */
+predicate jOOQSqlMethod(Method m) {
+  m.getAnAnnotation() instanceof PlainSQLType and
+  m.getParameterType(0) instanceof TypeString
+}