Include switch and instanceof binding in Variable.getAnAssignedValue, and test via endsInQuote

smowton · smowton · commit 29fdd04eb044 · 2023-11-30T11:24:05.000Z
diff --git a/java/ql/lib/semmle/code/java/Variable.qll b/java/ql/lib/semmle/code/java/Variable.qll
@@ -15,9 +15,12 @@ class Variable extends @variable, Annotatable, Element, Modifiable {
   /** Gets an access to this variable. */
   VarAccess getAnAccess() { variableBinding(result, this) }
 
-  /** Gets an expression on the right-hand side of an assignment to this variable. */
+  /**
+   * Gets an expression assigned to this variable, either appearing on the right-hand side of an
+   * assignment or bound to it via a binding `instanceof` expression or `switch` block.
+   */
   Expr getAnAssignedValue() {
-    exists(LocalVariableDeclExpr e | e.getVariable() = this and result = e.getInit())
+    exists(LocalVariableDeclExpr e | e.getVariable() = this and result = e.getInitOrPatternSource())
     or
     exists(AssignExpr e | e.getDest() = this.getAnAccess() and result = e.getSource())
   }
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlConcatenated.expected
@@ -9,3 +9,4 @@
 | Test.java:98:47:98:60 | queryFromField | Query built by concatenation with $@, which may be untrusted. | Test.java:97:8:97:19 | categoryName | this expression |
 | Test.java:108:47:108:61 | querySbToString | Query built by concatenation with $@, which may be untrusted. | Test.java:104:19:104:30 | categoryName | this expression |
 | Test.java:118:47:118:62 | querySb2ToString | Query built by concatenation with $@, which may be untrusted. | Test.java:114:46:114:57 | categoryName | this expression |
+| Test.java:221:81:221:111 | ... + ... | Query built by concatenation with $@, which may be untrusted. | Test.java:221:95:221:102 | category | this expression |
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/SqlTaintedLocal.expected
@@ -13,10 +13,13 @@ edges
 | Test.java:60:29:60:35 | querySb : StringBuilder | Test.java:60:29:60:46 | toString(...) : String |
 | Test.java:60:29:60:46 | toString(...) : String | Test.java:62:47:62:61 | querySbToString |
 | Test.java:183:33:183:45 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName |
-| Test.java:213:26:213:38 | args : String[] | Test.java:214:11:214:14 | args : String[] |
-| Test.java:213:26:213:38 | args : String[] | Test.java:218:14:218:17 | args : String[] |
-| Test.java:214:11:214:14 | args : String[] | Test.java:29:30:29:42 | args : String[] |
-| Test.java:218:14:218:17 | args : String[] | Test.java:183:33:183:45 | args : String[] |
+| Test.java:213:34:213:46 | args : String[] | Test.java:221:81:221:111 | ... + ... |
+| Test.java:227:26:227:38 | args : String[] | Test.java:228:11:228:14 | args : String[] |
+| Test.java:227:26:227:38 | args : String[] | Test.java:232:14:232:17 | args : String[] |
+| Test.java:227:26:227:38 | args : String[] | Test.java:233:15:233:18 | args : String[] |
+| Test.java:228:11:228:14 | args : String[] | Test.java:29:30:29:42 | args : String[] |
+| Test.java:232:14:232:17 | args : String[] | Test.java:183:33:183:45 | args : String[] |
+| Test.java:233:15:233:18 | args : String[] | Test.java:213:34:213:46 | args : String[] |
 nodes
 | Mongo.java:10:29:10:41 | args : String[] | semmle.label | args : String[] |
 | Mongo.java:17:45:17:67 | parse(...) | semmle.label | parse(...) |
@@ -35,17 +38,21 @@ nodes
 | Test.java:78:46:78:50 | query | semmle.label | query |
 | Test.java:183:33:183:45 | args : String[] | semmle.label | args : String[] |
 | Test.java:209:47:209:68 | queryWithUserTableName | semmle.label | queryWithUserTableName |
-| Test.java:213:26:213:38 | args : String[] | semmle.label | args : String[] |
-| Test.java:214:11:214:14 | args : String[] | semmle.label | args : String[] |
-| Test.java:218:14:218:17 | args : String[] | semmle.label | args : String[] |
+| Test.java:213:34:213:46 | args : String[] | semmle.label | args : String[] |
+| Test.java:221:81:221:111 | ... + ... | semmle.label | ... + ... |
+| Test.java:227:26:227:38 | args : String[] | semmle.label | args : String[] |
+| Test.java:228:11:228:14 | args : String[] | semmle.label | args : String[] |
+| Test.java:232:14:232:17 | args : String[] | semmle.label | args : String[] |
+| Test.java:233:15:233:18 | args : String[] | semmle.label | args : String[] |
 subpaths
 #select
 | Mongo.java:17:45:17:67 | parse(...) | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:17:45:17:67 | parse(...) | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
 | Mongo.java:21:49:21:52 | json | Mongo.java:10:29:10:41 | args : String[] | Mongo.java:21:49:21:52 | json | This query depends on a $@. | Mongo.java:10:29:10:41 | args | user-provided value |
-| Test.java:36:47:36:52 | query1 | Test.java:213:26:213:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:42:57:42:62 | query2 | Test.java:213:26:213:38 | args : String[] | Test.java:42:57:42:62 | query2 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:50:62:50:67 | query3 | Test.java:213:26:213:38 | args : String[] | Test.java:50:62:50:67 | query3 | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:62:47:62:61 | querySbToString | Test.java:213:26:213:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:70:40:70:44 | query | Test.java:213:26:213:38 | args : String[] | Test.java:70:40:70:44 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:78:46:78:50 | query | Test.java:213:26:213:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
-| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:213:26:213:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:213:26:213:38 | args | user-provided value |
+| Test.java:36:47:36:52 | query1 | Test.java:227:26:227:38 | args : String[] | Test.java:36:47:36:52 | query1 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:42:57:42:62 | query2 | Test.java:227:26:227:38 | args : String[] | Test.java:42:57:42:62 | query2 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:50:62:50:67 | query3 | Test.java:227:26:227:38 | args : String[] | Test.java:50:62:50:67 | query3 | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:62:47:62:61 | querySbToString | Test.java:227:26:227:38 | args : String[] | Test.java:62:47:62:61 | querySbToString | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:70:40:70:44 | query | Test.java:227:26:227:38 | args : String[] | Test.java:70:40:70:44 | query | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:78:46:78:50 | query | Test.java:227:26:227:38 | args : String[] | Test.java:78:46:78:50 | query | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:209:47:209:68 | queryWithUserTableName | Test.java:227:26:227:38 | args : String[] | Test.java:209:47:209:68 | queryWithUserTableName | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
+| Test.java:221:81:221:111 | ... + ... | Test.java:227:26:227:38 | args : String[] | Test.java:221:81:221:111 | ... + ... | This query depends on a $@. | Test.java:227:26:227:38 | args | user-provided value |
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java b/java/ql/test/query-tests/security/CWE-089/semmle/examples/Test.java
@@ -210,12 +210,27 @@ private static void tableNames(String[] args) throws IOException, SQLException {
 		}
 	}
 
+	private static void bindingVars(String[] args) throws IOException, SQLException {
+                // BAD: the category might have SQL special characters in it
+                {
+                        String category = args[1];
+                        Statement statement = connection.createStatement();
+			String prefix = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='";
+			String suffix = "' ORDER BY PRICE";
+			switch(prefix) {
+				case String prefixAlias when prefix.length() > 10 -> statement.executeQuery(prefixAlias + category + suffix);
+				default -> { }
+			}
+		}
+	}
+
 	public static void main(String[] args) throws IOException, SQLException {
 		tainted(args);
 		unescaped();
 		good(args);
 		controlledStrings();
 		tableNames(args);
+		bindingVars(args);
 	}
 }
 
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/controlledString.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/controlledString.expected
@@ -1,6 +1,16 @@
 | <clinit> | 1 | Test.java:20:2:20:9 | FloorWax |
 | <clinit> | 1 | Test.java:20:12:20:18 | Topping |
 | <clinit> | 1 | Test.java:20:21:20:28 | Biscuits |
+| bindingVars | 3 | Test.java:216:48:216:48 | 1 |
+| bindingVars | 5 | Test.java:218:20:218:73 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
+| bindingVars | 6 | Test.java:219:20:219:37 | "' ORDER BY PRICE" |
+| bindingVars | 7 | Test.java:220:11:220:16 | prefix |
+| bindingVars | 8 | Test.java:221:34:221:39 | prefix |
+| bindingVars | 8 | Test.java:221:34:221:48 | length(...) |
+| bindingVars | 8 | Test.java:221:34:221:53 | ... > ... |
+| bindingVars | 8 | Test.java:221:52:221:53 | 10 |
+| bindingVars | 8 | Test.java:221:81:221:91 | prefixAlias |
+| bindingVars | 8 | Test.java:221:106:221:111 | suffix |
 | checkIdentifier | 1 | Validation.java:7:12:7:16 | i |
 | checkIdentifier | 1 | Validation.java:7:16:7:16 | 0 |
 | checkIdentifier | 1 | Validation.java:7:19:7:19 | i |
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/endsInQuote.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/endsInQuote.expected
@@ -1,3 +1,7 @@
+| bindingVars | 5 | Test.java:218:20:218:73 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
+| bindingVars | 7 | Test.java:220:11:220:16 | prefix |
+| bindingVars | 8 | Test.java:221:34:221:39 | prefix |
+| bindingVars | 8 | Test.java:221:81:221:91 | prefixAlias |
 | controlledStrings | 4 | Test.java:137:26:137:79 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
 | controlledStrings | 12 | Test.java:145:27:145:80 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
 | controlledStrings | 20 | Test.java:153:35:153:88 | "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='" |
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/options b/java/ql/test/query-tests/security/CWE-089/semmle/examples/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive --release 21
diff --git a/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected b/java/ql/test/query-tests/security/CWE-089/semmle/examples/taintedString.expected
@@ -59,9 +59,15 @@
 | Test.java:183:22:183:31 | tableNames | 23 | Test.java:206:36:208:55 | ... + ... |
 | Test.java:183:22:183:31 | tableNames | 24 | Test.java:207:8:207:18 | userTabName |
 | Test.java:183:22:183:31 | tableNames | 26 | Test.java:209:47:209:68 | queryWithUserTableName |
-| Test.java:213:21:213:24 | main | 1 | Test.java:214:11:214:14 | args |
-| Test.java:213:21:213:24 | main | 3 | Test.java:216:8:216:11 | args |
-| Test.java:213:21:213:24 | main | 5 | Test.java:218:14:218:17 | args |
+| Test.java:213:22:213:32 | bindingVars | 3 | Test.java:216:43:216:46 | args |
+| Test.java:213:22:213:32 | bindingVars | 3 | Test.java:216:43:216:49 | ...[...] |
+| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:81:221:102 | ... + ... |
+| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:81:221:111 | ... + ... |
+| Test.java:213:22:213:32 | bindingVars | 8 | Test.java:221:95:221:102 | category |
+| Test.java:227:21:227:24 | main | 1 | Test.java:228:11:228:14 | args |
+| Test.java:227:21:227:24 | main | 3 | Test.java:230:8:230:11 | args |
+| Test.java:227:21:227:24 | main | 5 | Test.java:232:14:232:17 | args |
+| Test.java:227:21:227:24 | main | 6 | Test.java:233:15:233:18 | args |
 | Validation.java:6:21:6:35 | checkIdentifier | 1 | Validation.java:7:23:7:24 | id |
 | Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:14 | id |
 | Validation.java:6:21:6:35 | checkIdentifier | 2 | Validation.java:8:13:8:24 | charAt(...) |

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive`
	`1`	`+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8:${testdir}/../../../../../stubs/apache-hive --release 21`