Generalize QueryInjectionSink

rvermeulen · rvermeulen · commit 9a84abf2590a · 2020-07-09T12:32:17.000+02:00
Extends from the more general DataFlow::Node instead of
DataFlow::ExprNode
diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql
@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura
 from QueryInjectionSink query, Expr uncontrolled
 where
   (
-    builtFromUncontrolledConcat(query.getExpr(), uncontrolled)
+    builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
     or
     exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
       uncontrolledStringBuilderQuery(sbv, uncontrolled) and
diff --git a/java/ql/src/semmle/code/java/security/QueryInjection.qll b/java/ql/src/semmle/code/java/security/QueryInjection.qll
@@ -10,16 +10,16 @@ import semmle.code.java.frameworks.MyBatis
 import semmle.code.java.frameworks.Hibernate
 
 /** A sink for database query language injection vulnerabilities. */
-abstract class QueryInjectionSink extends DataFlow::ExprNode { }
+abstract class QueryInjectionSink extends DataFlow::Node { }
 
 /** A sink for SQL injection vulnerabilities. */
 private class SqlInjectionSink extends QueryInjectionSink {
   SqlInjectionSink() {
-    this.getExpr() instanceof SqlExpr
+    this.asExpr() instanceof SqlExpr
     or
     exists(MethodAccess ma, Method m, int index |
       ma.getMethod() = m and
-      ma.getArgument(index) = this.getExpr()
+      ma.getArgument(index) = this.asExpr()
     |
       index = m.(SQLiteRunner).sqlIndex()
       or
@@ -38,7 +38,7 @@ private class SqlInjectionSink extends QueryInjectionSink {
 private class PersistenceQueryInjectionSink extends QueryInjectionSink {
   PersistenceQueryInjectionSink() {
     // the query (first) argument to a `createQuery` or `createNativeQuery` method on `EntityManager`
-    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.getExpr() |
+    exists(MethodAccess call, TypeEntityManager em | call.getArgument(0) = this.asExpr() |
       call.getMethod() = em.getACreateQueryMethod() or
       call.getMethod() = em.getACreateNativeQueryMethod()
       // note: `createNamedQuery` is safe, as it takes only the query name,

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configura`
`40`	`40`	`from QueryInjectionSink query, Expr uncontrolled`
`41`	`41`	`where`
`42`	`42`	`(`
`43`		`- builtFromUncontrolledConcat(query.getExpr(), uncontrolled)`
	`43`	`+ builtFromUncontrolledConcat(query.asExpr(), uncontrolled)`
`44`	`44`	`or`
`45`	`45`	`exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf \|`
`46`	`46`	`uncontrolledStringBuilderQuery(sbv, uncontrolled) and`