Modify according to suggestions

Author: haby0

java/ql/lib/semmle/code/java/frameworks/MyBatis.qll

@@ -35,124 +35,72 @@ class IbatisConfiguration extends RefType {
  */
 class IbatisConfigurationGetVariablesMethod extends Method {
   IbatisConfigurationGetVariablesMethod() {
-    getDeclaringType() instanceof IbatisConfiguration and
-    hasName("getVariables") and
-    getNumberOfParameters() = 0
+    this.getDeclaringType() instanceof IbatisConfiguration and
+    this.hasName("getVariables") and
+    this.getNumberOfParameters() = 0
   }
 }
 
 /**
  * An annotation type that identifies Ibatis select.
  */
 private class IbatisSelectAnnotationType extends AnnotationType {
-  IbatisSelectAnnotationType() {
-    this.hasQualifiedName("org.apache.ibatis.annotations", "Select") or
-    this.getAnAnnotation().getType() instanceof IbatisSelectAnnotationType
-  }
+  IbatisSelectAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Select") }
 }
 
 /**
  * An annotation type that identifies Ibatis delete.
  */
 private class IbatisDeleteAnnotationType extends AnnotationType {
-  IbatisDeleteAnnotationType() {
-    this.hasQualifiedName("org.apache.ibatis.annotations", "Delete") or
-    this.getAnAnnotation().getType() instanceof IbatisDeleteAnnotationType
-  }
+  IbatisDeleteAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Delete") }
 }
 
 /**
  * An annotation type that identifies Ibatis insert.
  */
 private class IbatisInsertAnnotationType extends AnnotationType {
-  IbatisInsertAnnotationType() {
-    this.hasQualifiedName("org.apache.ibatis.annotations", "Insert") or
-    this.getAnAnnotation().getType() instanceof IbatisInsertAnnotationType
-  }
+  IbatisInsertAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Insert") }
 }
 
 /**
  * An annotation type that identifies Ibatis update.
  */
 private class IbatisUpdateAnnotationType extends AnnotationType {
-  IbatisUpdateAnnotationType() {
-    this.hasQualifiedName("org.apache.ibatis.annotations", "Update") or
-    this.getAnAnnotation().getType() instanceof IbatisUpdateAnnotationType
-  }
+  IbatisUpdateAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Update") }
 }
 
 /**
  * Ibatis sql operation annotation.
  */
-abstract class IbatisSqlOperationAnnotation extends Annotation {
-  abstract string getSqlValue();
-}
-
-/**
- * A `@org.apache.ibatis.annotations.Select` annotation.
- */
-private class IbatisSelectAnnotation extends IbatisSqlOperationAnnotation {
-  IbatisSelectAnnotation() { this.getType() instanceof IbatisSelectAnnotationType }
-
-  string getSelectValue() {
-    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
-    result =
-      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
-  }
-
-  override string getSqlValue() { result = getSelectValue() }
-}
-
-/**
- * A `@org.apache.ibatis.annotations.Delete` annotation.
- */
-private class IbatisDeleteAnnotation extends IbatisSqlOperationAnnotation {
-  IbatisDeleteAnnotation() { this.getType() instanceof IbatisDeleteAnnotationType }
-
-  string getDeleteValue() {
-    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
-    result =
-      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+class IbatisSqlOperationAnnotation extends Annotation {
+  IbatisSqlOperationAnnotation() {
+    this.getType() instanceof IbatisSelectAnnotationType or
+    this.getType() instanceof IbatisDeleteAnnotationType or
+    this.getType() instanceof IbatisInsertAnnotationType or
+    this.getType() instanceof IbatisUpdateAnnotationType
   }
 
-  override string getSqlValue() { result = getDeleteValue() }
-}
-
-/**
- * A `@org.apache.ibatis.annotations.Insert` annotation.
- */
-private class IbatisInsertAnnotation extends IbatisSqlOperationAnnotation {
-  IbatisInsertAnnotation() { this.getType() instanceof IbatisInsertAnnotationType }
-
-  string getInsertValue() {
+  /**
+   * Get the SQL statement string.
+   */
+  string getSqlValue() {
     result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
     result =
       this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
   }
-
-  override string getSqlValue() { result = getInsertValue() }
 }
 
 /**
- * A `@org.apache.ibatis.annotations.Update` annotation.
+ * Methods annotated with `@org.apache.ibatis.annotations.Select` or `@org.apache.ibatis.annotations.Delete`
+ * or `@org.apache.ibatis.annotations.Update` or `@org.apache.ibatis.annotations.Insert`.
  */
-private class IbatisUpdateAnnotation extends IbatisSqlOperationAnnotation {
-  IbatisUpdateAnnotation() { this.getType() instanceof IbatisUpdateAnnotationType }
-
-  string getUpdateValue() {
-    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
-    result =
-      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+class MyBatisSqlOperationAnnotationMethod extends Method {
+  MyBatisSqlOperationAnnotationMethod() {
+    this.getAnAnnotation() instanceof IbatisSqlOperationAnnotation
   }
-
-  override string getSqlValue() { result = getUpdateValue() }
 }
 
-// Mybatis uses sql operation to annotate the method of interacting with the database.
-class MybatisSqlOperationAnnotationMethod extends Method {
-  MybatisSqlOperationAnnotationMethod() {
-    exists(IbatisSqlOperationAnnotation isoa |
-      this.getAnAnnotation() = isoa  
-    )
-  }
+/** The interface `org.apache.ibatis.annotations.Param`. */
+class TypeParam extends Interface {
+  TypeParam() { this.hasQualifiedName("org.apache.ibatis.annotations", "Param") }
 }

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.qhelp

@@ -4,23 +4,21 @@
   "qhelp.dtd">
 <qhelp>
 <overview>
-<p>MyBatis operates the database by using @Select, @Insert, etc. annotations in the method, and can use the $ character 
-to construct dynamic SQL statements. Attackers can modify the meaning of statements or execute arbitrary SQL commands.</p>
+<p>MyBatis allows operating the database by annotating a method with the annotations <code>@Select</code>, <code>@Insert</code>, etc. to construct dynamic SQL statements.
+If the syntax `${param}` is used in those statements, and `param` is a parameter of the annotated method, attackers can exploit this to tamper with the SQL statements or execute arbitrary SQL commands.</p>
 </overview>
 
 <<recommendation>
 <p>
-When writing MyBatis mapping statements, try to use the format "#{xxx}". If you have to use parameters 
-such as "${xxx}", you must manually filter to prevent SQL injection attacks.
+When writing MyBatis mapping statements, try to use the syntax <code>#{xxx}</code>. If the syntax <code>${xxx}</code> must be used, any parameters included in it should be sanitized to prevent SQL injection attacks.
 </p>
 </recommendation>
 
 <example>
 <p>
-The following examples show the bad situation and the good situation respectively. The <code>bad1</code> method uses <code>$(name)</code> 
-in the <code>@Select</code> annotation to dynamically splice SQL statements, and there is a SQL injection vulnerability. 
-The good1 method uses the <code>#{name}</code> method in the <code>@Select</code> annotation to splice SQL statements, 
-and the MyBatis framework will handle the dangerous characters entered by the user, And did not cause SQL injection vulnerabilities.
+The following sample shows a bad and a good example of MyBatis annotations usage. The <code>bad1</code> method uses <code>$(name)</code> 
+in the <code>@Select</code> annotation to dynamically build a SQL statement, which causes a SQL injection vulnerability. 
+The <code>good1</code> method uses <code>#{name}</code> in the <code>@Select</code> annotation to to dynamically include the parameter in a SQL statement, which allows the MyBatis framework to handle the sanitization, preventing the vulnerability.
 </p>
 <sample src="MyBatisAnnotationSqlInjection.java" />
 </example>

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -1,20 +1,19 @@
 /**
- * @name MyBatis annotation sql injection
+ * @name SQL injection in MyBatis annotation
  * @description Constructing a dynamic SQL statement with input that comes from an
  *              untrusted source could allow an attacker to modify the statement's
  *              meaning or to execute arbitrary SQL commands.
  * @kind path-problem
  * @problem.severity error
  * @precision high
- * @id java/sql-injection
+ * @id java/mybatis-annotation-sql-injection
  * @tags security
  *       external/cwe/cwe-089
  */
 
 import java
 import DataFlow::PathGraph
 import MyBatisAnnotationSqlInjectionLib
-import semmle.code.java.security.SanitizerGuard
 import semmle.code.java.dataflow.FlowSources
 
 private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::Configuration {
@@ -32,10 +31,6 @@ private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::
     node.getType() instanceof NumberType
   }
 
-  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
-    guard instanceof ContainsSanitizer or guard instanceof EqualsSanitizer
-  }
-
   override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
     exists(MethodAccess ma |
       ma.getMethod().getDeclaringType() instanceof MapType and
@@ -60,5 +55,5 @@ where
   cfg.hasFlowPath(source, sink) and
   isMybatisAnnotationSqlInjection(sink.getNode(), isoa)
 select sink.getNode(), source, sink,
-  "MyBatis annotation sql injection might include code from $@ to $@.", source.getNode(),
-  "this user input", isoa, "this sql operation"
+  "MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(),
+  "this user input", isoa, "this SQL operation"

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides classes for SQL injection detection in MyBatis annotation.
+ */
+
 import java
 import MyBatisCommonLib
 import semmle.code.xml.MyBatisMapperXML
@@ -7,15 +11,15 @@ import semmle.code.java.frameworks.Properties
 /** A sink for MyBatis annotation method call an argument. */
 class MyBatisAnnotationMethodCallAnArgument extends DataFlow::Node {
   MyBatisAnnotationMethodCallAnArgument() {
-    exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma | ma.getMethod() = msoam |
+    exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma | ma.getMethod() = msoam |
       ma.getAnArgument() = this.asExpr()
     )
   }
 }
 
 /** Get the #{...} or ${...} parameters in the Mybatis annotation value. */
 private string getAnMybatiAnnotationSetValue(IbatisSqlOperationAnnotation isoa) {
-  result = isoa.getSqlValue().trim().regexpFind("(#|\\$)(\\{([^\\}]*\\}))", _, _)
+  result = isoa.getSqlValue().trim().regexpFind("(#|\\$)\\{[^\\}]*\\}", _, _)
 }
 
 predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperationAnnotation isoa) {
@@ -27,15 +31,15 @@ predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperatio
   //    @Select(select id,name from test where name like '%${value}%')
   //    Test test(String name);
   // ```
-  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, string res |
+  exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma, string res |
     msoam = ma.getMethod()
   |
     msoam.getAnAnnotation() = isoa and
     res = getAnMybatiAnnotationSetValue(isoa) and
     msoam.getNumberOfParameters() = 1 and
-    not ma.getMethod().getAParameter().hasAnnotation() and
+    not ma.getMethod().getAParameter().getAnAnnotation().getType() instanceof TypeParam and
     res.matches("%${%}") and
-    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    not res = "${" + getAnMybatisConfigurationVariableKey() + "}" and
     ma.getAnArgument() = node.asExpr()
   )
   or
@@ -47,19 +51,19 @@ predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperatio
   //    @Select(select id,name from test where name like '%${value}%')
   //    Test test(Map map);
   // ```
-  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
+  exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
     msoam = ma.getMethod()
   |
     msoam.getAnAnnotation() = isoa and
-    not ma.getMethod().getParameter(i).hasAnnotation() and
+    not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
     (
       ma.getMethod().getParameterType(i) instanceof MapType or
       ma.getMethod().getParameterType(i) instanceof ListType or
       ma.getMethod().getParameterType(i) instanceof Array
     ) and
     res = getAnMybatiAnnotationSetValue(isoa) and
     res.matches("%${%}") and
-    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    not res = "${" + getAnMybatisConfigurationVariableKey() + "}" and
     ma.getArgument(i) = node.asExpr()
   )
   or
@@ -71,13 +75,13 @@ predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperatio
   //    @Select(select id,name from test order by ${name,jdbcType=VARCHAR})
   //    void test(Test test);
   // ```
-  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, Class c |
+  exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, RefType t |
     msoam = ma.getMethod()
   |
     msoam.getAnAnnotation() = isoa and
-    not ma.getMethod().getParameter(i).hasAnnotation() and
-    ma.getMethod().getParameterType(i).getName() = c.getName() and
-    getAnMybatiAnnotationSetValue(isoa).matches("%${" + c.getAField().getName() + "%}") and
+    not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
+    ma.getMethod().getParameterType(i).getName() = t.getName() and
+    getAnMybatiAnnotationSetValue(isoa).matches("%${" + t.getAField().getName() + "%}") and
     ma.getArgument(i) = node.asExpr()
   )
   or
@@ -89,12 +93,10 @@ predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperatio
   //    @Select(select id,name from test order by ${orderby,jdbcType=VARCHAR})
   //    void test(@Param("orderby") String name);
   // ```
-  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, Annotation annotation |
-    msoam = ma.getMethod()
+  exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, Annotation annotation |
+    msoam = ma.getMethod() and ma.getMethod().getParameter(i).getAnAnnotation() = annotation
   |
     msoam.getAnAnnotation() = isoa and
-    ma.getMethod().getParameter(i).hasAnnotation() and
-    ma.getMethod().getParameter(i).getAnAnnotation() = annotation and
     annotation.getType() instanceof TypeParam and
     getAnMybatiAnnotationSetValue(isoa)
         .matches("%${" + annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
@@ -109,18 +111,18 @@ predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperatio
   //    @Select(select id,name from test order by ${arg0,jdbcType=VARCHAR})
   //    void test(String name);
   // ```
-  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
+  exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
     msoam = ma.getMethod()
   |
     msoam.getAnAnnotation() = isoa and
-    not ma.getMethod().getParameter(i).hasAnnotation() and
+    not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
     res = getAnMybatiAnnotationSetValue(isoa) and
     (
       res.matches("%${param" + (i + 1) + "%}")
       or
       res.matches("%${arg" + i + "%}")
     ) and
-    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    not res = "${" + getAnMybatisConfigurationVariableKey() + "}" and
     ma.getArgument(i) = node.asExpr()
   )
 }

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -1,3 +1,7 @@
+/**
+ * Provides public classes for MyBatis SQL injection detection.
+ */
+
 import java
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.frameworks.MyBatis
@@ -28,15 +32,10 @@ private class PropertiesFlowConfig extends DataFlow2::Configuration {
 string getAnMybatisConfigurationVariableKey() {
   exists(PropertiesFlowConfig conf, DataFlow::Node n |
     propertiesKey(n, result) and
-    conf.hasFlow(_, n)
+    conf.hasFlowTo(n)
   )
 }
 
-/** The interface `org.apache.ibatis.annotations.Param`. */
-class TypeParam extends Interface {
-  TypeParam() { this.hasQualifiedName("org.apache.ibatis.annotations", "Param") }
-}
-
 /** A reference type that extends a parameterization of `java.util.List`. */
 class ListType extends RefType {
   ListType() {

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.qhelp

@@ -9,16 +9,15 @@
 
 <<recommendation>
 <p>
-When writing MyBatis mapping statements, try to use the format "#{xxx}". If you have to use parameters 
-such as "${xxx}", you must manually filter to prevent SQL injection attacks.
+When writing MyBatis mapping statements, try to use the syntax <code>#{xxx}</code>. If the syntax <code>${xxx}</code> must be used, any parameters included in it should be sanitized to prevent SQL injection attacks.
 </p>
 </recommendation>
 
 <example>
 <p>
 The following examples show the bad situation and the good situation respectively. In <code>bad1</code> 
 and <code>bad2</code> and <code>bad3</code> and <code>bad4</code> and <code >bad5</code>, the program 
-${ xxx} are dynamic SQL statements, these five examples of SQL injection vulnerabilities. In <code>good1</code>, 
+${xxx} are dynamic SQL statements, these five examples of SQL injection vulnerabilities. In <code>good1</code>, 
 the program uses the ${xxx} dynamic feature SQL statement, but there are subtle restrictions on the data, 
 and there is no SQL injection vulnerability.
 </p>