Merge pull request #3926 from rvermeulen/java-importable-cwe-089

aschackmull · web-flow · commit 99a4f8fd0bc5 · 2020-07-09T16:00:56.000+02:00
Java: Move `QueryInjectionSink` into importable library
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll
@@ -1,50 +1,8 @@
 /** Definitions used by the queries for database query injection. */
 
-import semmle.code.java.Expr
+import java
 import semmle.code.java.dataflow.FlowSources
-import semmle.code.java.frameworks.android.SQLite
-import semmle.code.java.frameworks.javaee.Persistence
-import semmle.code.java.frameworks.SpringJdbc
-import semmle.code.java.frameworks.MyBatis
-import semmle.code.java.frameworks.Hibernate
-
-/** A sink for database query language injection vulnerabilities. */
-abstract class QueryInjectionSink extends DataFlow::ExprNode { }
-
-/** A sink for SQL injection vulnerabilities. */
-class SqlInjectionSink extends QueryInjectionSink {
-  SqlInjectionSink() {
-    this.getExpr() instanceof SqlExpr
-    or
-    exists(MethodAccess ma, Method m, int index |
-      ma.getMethod() = m and
-      ma.getArgument(index) = this.getExpr()
-    |
-      index = m.(SQLiteRunner).sqlIndex()
-      or
-      m instanceof BatchUpdateVarargsMethod
-      or
-      index = 0 and jdbcSqlMethod(m)
-      or
-      index = 0 and mybatisSqlMethod(m)
-      or
-      index = 0 and hibernateSqlMethod(m)
-    )
-  }
-}
-
-/** A sink for Java Persistence Query Language injection vulnerabilities. */
-class PersistenceQueryInjectionSink extends QueryInjectionSink {
-  PersistenceQueryInjectionSink() {
-    // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
-    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
-      call.getMethod() = em.getACreateQueryMethod() or
-      call.getMethod() = em.getACreateNativeQueryMethod()
-      // note: `createNamedQuery` is safe, as it takes only the query name,
-      // and named queries can only be constructed using constants as the query text
-    )
-  }
-}
+import semmle.code.java.security.QueryInjection
 
 private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
   QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura
 from QueryInjectionSink query, Expr uncontrolled
 where
   (
-    builtFromUncontrolledConcat(query.getExpr(), uncontrolled)
+    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
     or
     exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
       uncontrolledStringBuilderQuery(sbv, uncontrolled) and
diff --git a/java/ql/src/semmle/code/java/security/QueryInjection.qll b/java/ql/src/semmle/code/java/security/QueryInjection.qll
@@ -0,0 +1,48 @@
+/** Provides classes to reason about database query language injection vulnerabilities. */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.frameworks.Jdbc
+import semmle.code.java.frameworks.android.SQLite
+import semmle.code.java.frameworks.javaee.Persistence
+import semmle.code.java.frameworks.SpringJdbc
+import semmle.code.java.frameworks.MyBatis
+import semmle.code.java.frameworks.Hibernate
+
+/** A sink for database query language injection vulnerabilities. */
+abstract class QueryInjectionSink extends DataFlow::Node { }
+
+/** A sink for SQL injection vulnerabilities. */
+private class SqlInjectionSink extends QueryInjectionSink {
+  SqlInjectionSink() {
+    this.asExpr() instanceof SqlExpr
+    or
+    exists(MethodAccess ma, Method m, int index |
+      ma.getMethod() = m and
+      ma.getArgument(index) = this.asExpr()
+    |
+      index = m.(SQLiteRunner).sqlIndex()
+      or
+      m instanceof BatchUpdateVarargsMethod
+      or
+      index = 0 and jdbcSqlMethod(m)
+      or
+      index = 0 and mybatisSqlMethod(m)
+      or
+      index = 0 and hibernateSqlMethod(m)
+    )
+  }
+}
+
+/** A sink for Java Persistence Query Language injection vulnerabilities. */
+private class PersistenceQueryInjectionSink extends QueryInjectionSink {
+  PersistenceQueryInjectionSink() {
+    // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
+    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
+      call.getMethod() = em.getACreateQueryMethod() or
+      call.getMethod() = em.getACreateNativeQueryMethod()
+      // note: `createNamedQuery` is safe, as it takes only the query name,
+      // and named queries can only be constructed using constants as the query text
+    )
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura`
`40`	`40`	`from QueryInjectionSink query, Expr uncontrolled`
`41`	`41`	`where`
`42`	`42`	`(`
`43`		`- builtFromUncontrolledConcat(query.getExpr(), uncontrolled)`
	`43`	`+ builtFromUncontrolledConcat(query.asExpr(), uncontrolled)`
`44`	`44`	`or`
`45`	`45`	`exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf \|`
`46`	`46`	`uncontrolledStringBuilderQuery(sbv, uncontrolled) and`