Skip to content

Commit 1644fb1

Browse files
d10cd10c
committed
Java: SqlConcatenated
1 parent b54734c commit 1644fb1

File tree

1 file changed

+11
-5
lines changed

1 file changed

+11
-5
lines changed

java/ql/lib/semmle/code/java/security/SqlConcatenatedQuery.qll

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,16 +25,22 @@ module UncontrolledStringBuilderSourceFlowConfig implements DataFlow::ConfigSig
2525

2626
predicate isBarrier(DataFlow::Node node) { node instanceof SimpleTypeSanitizer }
2727

28-
predicate observeDiffInformedIncrementalMode() {
29-
any() // TODO: Make sure that the location overrides match the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
30-
}
28+
predicate observeDiffInformedIncrementalMode() { any() }
3129

3230
Location getASelectedSourceLocation(DataFlow::Node source) {
33-
none() // TODO: Make sure that this source location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
31+
exists(Expr uncontrolled, StringBuilderVar sbv | result = uncontrolled.getLocation() |
32+
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
33+
source = DataFlow::exprNode(sbv.getToStringCall())
34+
)
3435
}
3536

3637
Location getASelectedSinkLocation(DataFlow::Node sink) {
37-
none() // TODO: Make sure that this sink location matches the query's select clause: Column 1 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:8:31:12), Column 3 does not select a source or sink originating from the flow call on line 27 (/Users/d10c/src/semmle-code/ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql@31:80:31:91)
38+
exists(QueryInjectionSink query, Expr uncontrolled |
39+
result = [query.getLocation(), uncontrolled.getLocation()] and
40+
builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
41+
)
42+
or
43+
result = sink.getLocation()
3844
}
3945
}
4046

0 commit comments

Comments
 (0)