hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-26 20:03:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
4832dc51edfd122cf82eb424b1b8c4e543f63171
codeql/java/ql/lib/semmle/code/java/security/SqlConcatenatedLib.qll
Chris Smowton f552a15aae Mass-rename MethodAccess -> MethodCall
2023-10-24 10:30:26 +01:00

46 lines
1.5 KiB
Plaintext
Raw Blame History

/** Definitions used by `SqlConcatenated.ql`. */
import semmle.code.java.security.ControlledString
import semmle.code.java.dataflow.TaintTracking
/**
* A string concatenation that includes a string
* not known to be programmer controlled.
*/
predicate builtFromUncontrolledConcat(Expr expr, Expr uncontrolled) {
// Base case
exists(AddExpr concatExpr | concatExpr = expr |
endsInQuote(concatExpr.getLeftOperand()) and
uncontrolled = concatExpr.getRightOperand() and
not controlledString(uncontrolled)
)
or
// Recursive cases
exists(Expr other | builtFromUncontrolledConcat(other, uncontrolled) |
expr.(AddExpr).getAnOperand() = other
or
exists(Variable var | var.getAnAssignedValue() = other and var.getAnAccess() = expr)
)
}
/**
* A query built with a StringBuilder, where one of the
* items appended is uncontrolled.
*/
predicate uncontrolledStringBuilderQuery(StringBuilderVar sbv, Expr uncontrolled) {
// A single append that has a problematic concatenation.
exists(MethodCall append |
append = sbv.getAnAppend() and
builtFromUncontrolledConcat(append.getArgument(0), uncontrolled)
)
or
// Two calls to append, one ending in a quote, the next being uncontrolled.
exists(MethodCall quoteAppend, MethodCall uncontrolledAppend |
sbv.getAnAppend() = quoteAppend and
endsInQuote(quoteAppend.getArgument(0)) and
sbv.getNextAppend(quoteAppend) = uncontrolledAppend and
uncontrolled = uncontrolledAppend.getArgument(0) and
not controlledString(uncontrolled)
)
}
Reference in New Issue View Git Blame Copy Permalink