github
diff --git a/‎change-notes/1.23/analysis-java.md‎
Lines changed: 11 additions & 0 deletions b/‎change-notes/1.23/analysis-java.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎java/ql/src/semmle/code/java/frameworks/Jdbc.qll‎
Lines changed: 18 additions & 0 deletions b/‎java/ql/src/semmle/code/java/frameworks/Jdbc.qll‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected‎
Lines changed: 17 additions & 11 deletions b/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected‎
Lines changed: 17 additions & 11 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlUnescaped.expected‎
Lines changed: 10 additions & 5 deletions b/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlUnescaped.expected‎
Lines changed: 10 additions & 5 deletions
diff --git a/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java‎
Lines changed: 24 additions & 1 deletion b/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java‎
Lines changed: 24 additions & 1 deletion
diff --git a/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/ValidatedVariable.expected‎
Lines changed: 1 addition & 1 deletion b/‎java/ql/test/query-tests/security/CWE-089/semmle/examples/ValidatedVariable.expected‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,11 @@
+# Improvements to Java analysis
+
+The following changes in version 1.23 affect Java analysis in all applications.
+
+## Changes to existing queries
+
+| **Query**                    | **Expected impact**    | **Change**                        |
+|------------------------------|------------------------|-----------------------------------|
+| Query built from user-controlled sources (`java/sql-injection`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built from local-user-controlled sources (`java/sql-injection-local`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
+| Query built without neutralizing special characters (`java/concatenated-sql-query`) | More results | The query now identifies arguments to `Statement.executeLargeUpdate` and `Connection.prepareCall` as SQL expressions sinks. |
@@ -34,6 +34,14 @@ class ConnectionPrepareStatement extends Method {
   }
 }
 
+/** A method with the name `prepareCall` declared in `java.sql.Connection`. */
+class ConnectionPrepareCall extends Method {
+  ConnectionPrepareCall() {
+    getDeclaringType() instanceof TypeConnection and
+    hasName("prepareCall")
+  }
+}
+
 /** A method with the name `executeQuery` declared in `java.sql.Statement`. */
 class StatementExecuteQuery extends Method {
   StatementExecuteQuery() {
@@ -58,6 +66,14 @@ class MethodStatementExecuteUpdate extends Method {
   }
 }
 
+/** A method with the name `executeLargeUpdate` declared in `java.sql.Statement`. */
+class MethodStatementExecuteLargeUpdate extends Method {
+  MethodStatementExecuteLargeUpdate() {
+    getDeclaringType() instanceof TypeStatement and
+    hasName("executeLargeUpdate")
+  }
+}
+
 /** A method with the name `addBatch` declared in `java.sql.Statement`. */
 class MethodStatementAddBatch extends Method {
   MethodStatementAddBatch() {
@@ -87,9 +103,11 @@ class SqlExpr extends Expr {
       method = call.getMethod() and
       (
         method instanceof ConnectionPrepareStatement or
+        method instanceof ConnectionPrepareCall or
         method instanceof StatementExecuteQuery or
         method instanceof MethodStatementExecute or
         method instanceof MethodStatementExecuteUpdate or
+        method instanceof MethodStatementExecuteLargeUpdate or
         method instanceof MethodStatementAddBatch
       )
     )
 
@@ -1,14 +1,20 @@
 edges
 | Test.java:29:30:29:42 | args [String[]] | Test.java:36:47:36:52 | query1 |
-| Test.java:29:30:29:42 | args [String[]] | Test.java:44:62:44:67 | query3 |
-| Test.java:29:30:29:42 | args [String[]] | Test.java:56:47:56:61 | querySbToString |
-| Test.java:160:33:160:45 | args [String[]] | Test.java:186:47:186:68 | queryWithUserTableName |
-| Test.java:190:26:190:38 | args [String[]] | Test.java:191:11:191:14 | args [String[]] |
-| Test.java:190:26:190:38 | args [String[]] | Test.java:195:14:195:17 | args [String[]] |
-| Test.java:191:11:191:14 | args [String[]] | Test.java:29:30:29:42 | args [String[]] |
-| Test.java:195:14:195:17 | args [String[]] | Test.java:160:33:160:45 | args [String[]] |
+| Test.java:29:30:29:42 | args [String[]] | Test.java:42:57:42:62 | query2 |
+| Test.java:29:30:29:42 | args [String[]] | Test.java:50:62:50:67 | query3 |
+| Test.java:29:30:29:42 | args [String[]] | Test.java:62:47:62:61 | querySbToString |
+| Test.java:29:30:29:42 | args [String[]] | Test.java:70:40:70:44 | query |
+| Test.java:29:30:29:42 | args [String[]] | Test.java:78:46:78:50 | query |
+| Test.java:183:33:183:45 | args [String[]] | Test.java:209:47:209:68 | queryWithUserTableName |
+| Test.java:213:26:213:38 | args [String[]] | Test.java:214:11:214:14 | args [String[]] |
+| Test.java:213:26:213:38 | args [String[]] | Test.java:218:14:218:17 | args [String[]] |
+| Test.java:214:11:214:14 | args [String[]] | Test.java:29:30:29:42 | args [String[]] |
+| Test.java:218:14:218:17 | args [String[]] | Test.java:183:33:183:45 | args [String[]] |
 #select
-| Test.java:36:47:36:52 | query1 | Test.java:190:26:190:38 | args [String[]] | Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input |
-| Test.java:44:62:44:67 | query3 | Test.java:190:26:190:38 | args [String[]] | Test.java:44:62:44:67 | query3 | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input |
-| Test.java:56:47:56:61 | querySbToString | Test.java:190:26:190:38 | args [String[]] | Test.java:56:47:56:61 | querySbToString | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input |
-| Test.java:186:47:186:68 | queryWithUserTableName | Test.java:190:26:190:38 | args [String[]] | Test.java:186:47:186:68 | queryWithUserTableName | Query might include code from $@. | Test.java:190:26:190:38 | args | this user input |
+| Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args [String[]] | Test.java:36:47:36:52 | query1 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args [String[]] | Test.java:42:57:42:62 | query2 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args [String[]] | Test.java:50:62:50:67 | query3 | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:62:47:62:61 | querySbToString | Test.java:213:26:213:38 | args [String[]] | Test.java:62:47:62:61 | querySbToString | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:70:40:70:44 | query | Test.java:213:26:213:38 | args [String[]] | Test.java:70:40:70:44 | query | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:78:46:78:50 | query | Test.java:213:26:213:38 | args [String[]] | Test.java:78:46:78:50 | query | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
+| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:213:26:213:38 | args [String[]] | Test.java:209:47:209:68 | queryWithUserTableName | Query might include code from $@. | Test.java:213:26:213:38 | args | this user input |
@@ -1,6 +1,11 @@
 | Test.java:36:47:36:52 | query1 | Query might not neutralize special characters in $@. | Test.java:35:8:35:15 | category | this expression |
-| Test.java:44:62:44:67 | query3 | Query might not neutralize special characters in $@. | Test.java:43:8:43:15 | category | this expression |
-| Test.java:56:47:56:61 | querySbToString | Query might not neutralize special characters in $@. | Test.java:52:19:52:26 | category | this expression |
-| Test.java:75:47:75:60 | queryFromField | Query might not neutralize special characters in $@. | Test.java:74:8:74:19 | categoryName | this expression |
-| Test.java:85:47:85:61 | querySbToString | Query might not neutralize special characters in $@. | Test.java:81:19:81:30 | categoryName | this expression |
-| Test.java:95:47:95:62 | querySb2ToString | Query might not neutralize special characters in $@. | Test.java:91:46:91:57 | categoryName | this expression |
+| Test.java:42:57:42:62 | query2 | Query might not neutralize special characters in $@. | Test.java:41:51:41:52 | id | this expression |
+| Test.java:50:62:50:67 | query3 | Query might not neutralize special characters in $@. | Test.java:49:8:49:15 | category | this expression |
+| Test.java:62:47:62:61 | querySbToString | Query might not neutralize special characters in $@. | Test.java:58:19:58:26 | category | this expression |
+| Test.java:70:40:70:44 | query | Query might not neutralize special characters in $@. | Test.java:69:50:69:54 | price | this expression |
+| Test.java:70:40:70:44 | query | Query might not neutralize special characters in $@. | Test.java:69:77:69:80 | item | this expression |
+| Test.java:78:46:78:50 | query | Query might not neutralize special characters in $@. | Test.java:77:50:77:54 | price | this expression |
+| Test.java:78:46:78:50 | query | Query might not neutralize special characters in $@. | Test.java:77:77:77:80 | item | this expression |
+| Test.java:98:47:98:60 | queryFromField | Query might not neutralize special characters in $@. | Test.java:97:8:97:19 | categoryName | this expression |
+| Test.java:108:47:108:61 | querySbToString | Query might not neutralize special characters in $@. | Test.java:104:19:104:30 | categoryName | this expression |
+| Test.java:118:47:118:62 | querySb2ToString | Query might not neutralize special characters in $@. | Test.java:114:46:114:57 | categoryName | this expression |
@@ -35,7 +35,13 @@ private static void tainted(String[] args) throws IOException, SQLException {
 					+ category + "' ORDER BY PRICE";
 			ResultSet results = statement.executeQuery(query1);
 		}
-		
+		// BAD: don't use user input when building a prepared call
+		{
+			String id = args[1];
+			String query2 = "{ call get_product_by_id('" + id + "',?,?,?) }";
+			PreparedStatement statement = connection.prepareCall(query2);
+			ResultSet results = statement.executeQuery();
+		}
 		// BAD: don't use user input when building a prepared query
 		{
 			String category = args[1];
@@ -55,6 +61,23 @@ private static void tainted(String[] args) throws IOException, SQLException {
 			Statement statement = connection.createStatement();
 			ResultSet results = statement.executeQuery(querySbToString);
 		}
+		// BAD: executeUpdate
+		{
+			String item = args[1];
+			String price = args[2];
+			Statement statement = connection.createStatement();
+			String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+			int count = statement.executeUpdate(query);
+		}
+		// BAD: executeUpdate
+		{
+			String item = args[1];
+			String price = args[2];
+			Statement statement = connection.createStatement();
+			String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+			long count = statement.executeLargeUpdate(query);
+		}
+
 		// OK: validate the input first
 		{
 			String category = args[1];
 
@@ -1 +1 @@
-| Test.java:64:8:64:15 | category |
+| Test.java:87:8:87:15 | category |
Original file line number	Diff line number	Diff line change
`@@ -34,6 +34,14 @@ class ConnectionPrepareStatement extends Method {`
`34`	`34`	`}`
`35`	`35`	`}`
`36`	`36`
	`37`	+/** A method with the name `prepareCall` declared in `java.sql.Connection`. */
	`38`	`+class ConnectionPrepareCall extends Method {`
	`39`	`+ ConnectionPrepareCall() {`
	`40`	`+ getDeclaringType() instanceof TypeConnection and`
	`41`	`+ hasName("prepareCall")`
	`42`	`+ }`
	`43`	`+}`
	`44`	`+`
`37`	`45`	/** A method with the name `executeQuery` declared in `java.sql.Statement`. */
`38`	`46`	`class StatementExecuteQuery extends Method {`
`39`	`47`	`StatementExecuteQuery() {`
`@@ -58,6 +66,14 @@ class MethodStatementExecuteUpdate extends Method {`
`58`	`66`	`}`
`59`	`67`	`}`
`60`	`68`
	`69`	+/** A method with the name `executeLargeUpdate` declared in `java.sql.Statement`. */
	`70`	`+class MethodStatementExecuteLargeUpdate extends Method {`
	`71`	`+ MethodStatementExecuteLargeUpdate() {`
	`72`	`+ getDeclaringType() instanceof TypeStatement and`
	`73`	`+ hasName("executeLargeUpdate")`
	`74`	`+ }`
	`75`	`+}`
	`76`	`+`
`61`	`77`	/** A method with the name `addBatch` declared in `java.sql.Statement`. */
`62`	`78`	`class MethodStatementAddBatch extends Method {`
`63`	`79`	`MethodStatementAddBatch() {`
`@@ -87,9 +103,11 @@ class SqlExpr extends Expr {`
`87`	`103`	`method = call.getMethod() and`
`88`	`104`	`(`
`89`	`105`	`method instanceof ConnectionPrepareStatement or`
	`106`	`+ method instanceof ConnectionPrepareCall or`
`90`	`107`	`method instanceof StatementExecuteQuery or`
`91`	`108`	`method instanceof MethodStatementExecute or`
`92`	`109`	`method instanceof MethodStatementExecuteUpdate or`
	`110`	`+ method instanceof MethodStatementExecuteLargeUpdate or`
`93`	`111`	`method instanceof MethodStatementAddBatch`
`94`	`112`	`)`
`95`	`113`	`)`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-\| Test.java:64:8:64:15 \| category \|`
	`1`	`+\| Test.java:87:8:87:15 \| category \|`