Merge pull request #5487 from joefarebrother/sql-sinks

Java: Convert SQL sinks to CSV format

Author: aschackmull

java/ql/src/semmle/code/java/dataflow/ExternalFlow.qll

@@ -95,6 +95,12 @@ private module Frameworks {
   private import semmle.code.java.security.LdapInjection
   private import semmle.code.java.security.XPath
   private import semmle.code.java.security.JexlInjection
+  private import semmle.code.java.frameworks.android.SQLite
+  private import semmle.code.java.frameworks.Jdbc
+  private import semmle.code.java.frameworks.SpringJdbc
+  private import semmle.code.java.frameworks.MyBatis
+  private import semmle.code.java.frameworks.Hibernate
+  private import semmle.code.java.frameworks.jOOQ
 }
 
 private predicate sourceModelCsv(string row) {

java/ql/src/semmle/code/java/frameworks/Hibernate.qll

@@ -3,6 +3,7 @@
  */
 
 import java
+import semmle.code.java.dataflow.ExternalFlow
 
 /** The interface `org.hibernate.query.QueryProducer`. */
 class HibernateQueryProducer extends RefType {
@@ -21,19 +22,18 @@ class HibernateSession extends RefType {
   HibernateSession() { this.hasQualifiedName("org.hibernate", "Session") }
 }
 
-/**
- * Holds if `m` is a method on `HibernateQueryProducer`, or `HibernateSharedSessionContract`
- * or `HibernateSession`, or a subclass, taking an SQL string as its first argument.
- */
-predicate hibernateSqlMethod(Method m) {
-  exists(RefType t |
-    t = m.getDeclaringType().getASourceSupertype*() and
-    (
-      t instanceof HibernateQueryProducer or
-      t instanceof HibernateSharedSessionContract or
-      t instanceof HibernateSession
-    )
-  ) and
-  m.getParameterType(0) instanceof TypeString and
-  m.hasName(["createQuery", "createNativeQuery", "createSQLQuery"])
+private class SqlSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.hibernate;QueryProducer;true;createQuery;;;Argument[0];sql",
+        "org.hibernate;QueryProducer;true;createNativeQuery;;;Argument[0];sql",
+        "org.hibernate;QueryProducer;true;createSQLQuery;;;Argument[0];sql",
+        "org.hibernate;SharedSessionContract;true;createQuery;;;Argument[0];sql",
+        "org.hibernate;SharedSessionContract;true;createSQLQuery;;;Argument[0];sql",
+        "org.hibernate;Session;true;createQuery;;;Argument[0];sql",
+        "org.hibernate;Session;true;createSQLQuery;;;Argument[0];sql"
+      ]
+  }
 }

java/ql/src/semmle/code/java/frameworks/Jdbc.qll

@@ -3,6 +3,7 @@
  */
 
 import semmle.code.java.Type
+import semmle.code.java.dataflow.ExternalFlow
 
 /*--- Types ---*/
 /** The interface `java.sql.Connection`. */
@@ -26,62 +27,6 @@ class TypeStatement extends Interface {
 }
 
 /*--- Methods ---*/
-/** A method with the name `prepareStatement` declared in `java.sql.Connection`. */
-class ConnectionPrepareStatement extends Method {
-  ConnectionPrepareStatement() {
-    getDeclaringType() instanceof TypeConnection and
-    hasName("prepareStatement")
-  }
-}
-
-/** A method with the name `prepareCall` declared in `java.sql.Connection`. */
-class ConnectionPrepareCall extends Method {
-  ConnectionPrepareCall() {
-    getDeclaringType() instanceof TypeConnection and
-    hasName("prepareCall")
-  }
-}
-
-/** A method with the name `executeQuery` declared in `java.sql.Statement`. */
-class StatementExecuteQuery extends Method {
-  StatementExecuteQuery() {
-    getDeclaringType() instanceof TypeStatement and
-    hasName("executeQuery")
-  }
-}
-
-/** A method with the name `execute` declared in `java.sql.Statement`. */
-class MethodStatementExecute extends Method {
-  MethodStatementExecute() {
-    getDeclaringType() instanceof TypeStatement and
-    hasName("execute")
-  }
-}
-
-/** A method with the name `executeUpdate` declared in `java.sql.Statement`. */
-class MethodStatementExecuteUpdate extends Method {
-  MethodStatementExecuteUpdate() {
-    getDeclaringType() instanceof TypeStatement and
-    hasName("executeUpdate")
-  }
-}
-
-/** A method with the name `executeLargeUpdate` declared in `java.sql.Statement`. */
-class MethodStatementExecuteLargeUpdate extends Method {
-  MethodStatementExecuteLargeUpdate() {
-    getDeclaringType() instanceof TypeStatement and
-    hasName("executeLargeUpdate")
-  }
-}
-
-/** A method with the name `addBatch` declared in `java.sql.Statement`. */
-class MethodStatementAddBatch extends Method {
-  MethodStatementAddBatch() {
-    getDeclaringType() instanceof TypeStatement and
-    hasName("addBatch")
-  }
-}
-
 /** A method with the name `getString` declared in `java.sql.ResultSet`. */
 class ResultSetGetStringMethod extends Method {
   ResultSetGetStringMethod() {
@@ -92,24 +37,18 @@ class ResultSetGetStringMethod extends Method {
 }
 
 /*--- Other definitions ---*/
-/**
- * An expression representing SQL code that occurs as an argument of
- * a method in `java.sql.Connection` or `java.sql.Statement`.
- */
-class SqlExpr extends Expr {
-  SqlExpr() {
-    exists(MethodAccess call, Method method |
-      call.getArgument(0) = this and
-      method = call.getMethod() and
-      (
-        method instanceof ConnectionPrepareStatement or
-        method instanceof ConnectionPrepareCall or
-        method instanceof StatementExecuteQuery or
-        method instanceof MethodStatementExecute or
-        method instanceof MethodStatementExecuteUpdate or
-        method instanceof MethodStatementExecuteLargeUpdate or
-        method instanceof MethodStatementAddBatch
-      )
-    )
+private class SqlSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "java.sql;Connection;true;prepareStatement;;;Argument[0];sql",
+        "java.sql;Connection;true;prepareCall;;;Argument[0];sql",
+        "java.sql;Statement;true;execute;;;Argument[0];sql",
+        "java.sql;Statement;true;executeQuery;;;Argument[0];sql",
+        "java.sql;Statement;true;executeUpdate;;;Argument[0];sql",
+        "java.sql;Statement;true;executeLargeUpdate;;;Argument[0];sql",
+        "java.sql;Statement;true;addBatch;;;Argument[0];sql"
+      ]
   }
 }

java/ql/src/semmle/code/java/frameworks/MyBatis.qll

@@ -3,25 +3,24 @@
  */
 
 import java
+import semmle.code.java.dataflow.ExternalFlow
 
 /** The class `org.apache.ibatis.jdbc.SqlRunner`. */
 class MyBatisSqlRunner extends RefType {
   MyBatisSqlRunner() { this.hasQualifiedName("org.apache.ibatis.jdbc", "SqlRunner") }
 }
 
-/**
- * Holds if `m` is a method on `MyBatisSqlRunner` taking an SQL string as its
- * first argument.
- */
-predicate mybatisSqlMethod(Method m) {
-  m.getDeclaringType() instanceof MyBatisSqlRunner and
-  m.getParameterType(0) instanceof TypeString and
-  (
-    m.hasName("delete") or
-    m.hasName("insert") or
-    m.hasName("run") or
-    m.hasName("selectAll") or
-    m.hasName("selectOne") or
-    m.hasName("update")
-  )
+private class SqlSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.apache.ibatis.jdbc;SqlRunner;false;delete;(String,Object[]);;Argument[0];sql",
+        "org.apache.ibatis.jdbc;SqlRunner;false;insert;(String,Object[]);;Argument[0];sql",
+        "org.apache.ibatis.jdbc;SqlRunner;false;run;(String);;Argument[0];sql",
+        "org.apache.ibatis.jdbc;SqlRunner;false;selectAll;(String,Object[]);;Argument[0];sql",
+        "org.apache.ibatis.jdbc;SqlRunner;false;selectOne;(String,Object[]);;Argument[0];sql",
+        "org.apache.ibatis.jdbc;SqlRunner;false;update;(String,Object[]);;Argument[0];sql"
+      ]
+  }
 }

java/ql/src/semmle/code/java/frameworks/SpringJdbc.qll

@@ -3,33 +3,28 @@
  */
 
 import java
+import semmle.code.java.dataflow.ExternalFlow
 
 /** The class `org.springframework.jdbc.core.JdbcTemplate`. */
 class JdbcTemplate extends RefType {
   JdbcTemplate() { this.hasQualifiedName("org.springframework.jdbc.core", "JdbcTemplate") }
 }
 
-/**
- * Holds if `m` is a method on `JdbcTemplate` taking an SQL string as its first
- * argument.
- */
-predicate jdbcSqlMethod(Method m) {
-  m.getDeclaringType() instanceof JdbcTemplate and
-  m.getParameterType(0) instanceof TypeString and
-  (
-    m.hasName("batchUpdate") or
-    m.hasName("execute") or
-    m.getName().matches("query%") or
-    m.hasName("update")
-  )
-}
-
-/** The method `JdbcTemplate.batchUpdate(String... sql)` */
-class BatchUpdateVarargsMethod extends Method {
-  BatchUpdateVarargsMethod() {
-    this.getDeclaringType() instanceof JdbcTemplate and
-    this.hasName("batchUpdate") and
-    this.getParameterType(0).(Array).getComponentType() instanceof TypeString and
-    this.getParameter(0).isVarargs()
+private class SqlSinkCsv extends SinkModelCsv {
+  override predicate row(string row) {
+    row =
+      [
+        //"package;type;overrides;name;signature;ext;spec;kind"
+        "org.springframework.jdbc.core;JdbcTemplate;false;batchUpdate;(String[]);;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;batchUpdate;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;execute;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;update;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;query;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForList;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForMap;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForObject;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForRowSet;;;Argument[0];sql",
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForStream;;;Argument[0];sql"
+      ]
   }
 }