Java: Add new SQL sinks for Hibernate versions 4 and 6

aibaars · aibaars · commit 1f4028f4a08a · 2020-09-08T16:26:13.000+02:00
diff --git a/java/ql/src/semmle/code/java/frameworks/Hibernate.qll b/java/ql/src/semmle/code/java/frameworks/Hibernate.qll
@@ -4,20 +4,36 @@
 
 import java
 
+/** The interface `org.hibernate.query.QueryProducer`. */
+class HibernateQueryProducer extends RefType {
+  HibernateQueryProducer() { this.hasQualifiedName("org.hibernate.query", "QueryProducer") }
+}
+
+/** The interface `org.hibernate.SharedSessionContract`. */
+class HibernateSharedSessionContract extends RefType {
+  HibernateSharedSessionContract() {
+    this.hasQualifiedName("org.hibernate", "SharedSessionContract")
+  }
+}
+
 /** The interface `org.hibernate.Session`. */
 class HibernateSession extends RefType {
   HibernateSession() { this.hasQualifiedName("org.hibernate", "Session") }
 }
 
 /**
- * Holds if `m` is a method on `HibernateSession`, or a subclass, taking an SQL
- * string as its first argument.
+ * Holds if `m` is a method on `HibernateQueryProducer`, or `HibernateSharedSessionContract`
+ * or `HibernateSession`, or a subclass, taking an SQL string as its first argument.
  */
 predicate hibernateSqlMethod(Method m) {
-  m.getDeclaringType().getASourceSupertype*() instanceof HibernateSession and
+  exists(RefType t |
+    t = m.getDeclaringType().getASourceSupertype*() and
+    (
+      t instanceof HibernateQueryProducer or
+      t instanceof HibernateSharedSessionContract or
+      t instanceof HibernateSession
+    )
+  ) and
   m.getParameterType(0) instanceof TypeString and
-  (
-    m.hasName("createQuery") or
-    m.hasName("createSQLQuery")
-  )
+  m.hasName(["createQuery", "createNativeQuery", "createSQLQuery"])
 }
