Refactor DatabaseInput to MaD

egregius313 · egregius313 · commit 3a75c0fde7a1 · 2023-10-03T22:28:59.000-04:00
diff --git a/java/ql/lib/ext/java.sql.model.yml b/java/ql/lib/ext/java.sql.model.yml
@@ -45,3 +45,8 @@ extensions:
       - ["java.sql", "ResultSet", "getTimestamp", "(String)", "summary", "manual"]      # taint-numeric
       - ["java.sql", "Timestamp", "Timestamp", "(long)", "summary", "manual"]           # taint-numeric
       - ["java.sql", "Timestamp", "getTime", "()", "summary", "manual"]                 # taint-numeric
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["java.sql", "ResultSet", True, "getString", "", "", "ReturnValue", "database", "manual"]
diff --git a/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll b/java/ql/lib/semmle/code/java/dataflow/FlowSources.qll
@@ -286,7 +286,7 @@ deprecated class DatabaseInput = DbInput;
  * A node with input from a database.
  */
 private class DbInput extends LocalUserInput {
-  DbInput() { this.asExpr().(MethodAccess).getMethod() instanceof ResultSetGetStringMethod }
+  DbInput() { sourceNode(this, "database") }
 
   override string getThreatModel() { result = "database" }
 }

Original file line number	Diff line number	Diff line change
`@@ -286,7 +286,7 @@ deprecated class DatabaseInput = DbInput;`
`286`	`286`	`* A node with input from a database.`
`287`	`287`	`*/`
`288`	`288`	`private class DbInput extends LocalUserInput {`
`289`		`- DbInput() { this.asExpr().(MethodAccess).getMethod() instanceof ResultSetGetStringMethod }`
	`289`	`+ DbInput() { sourceNode(this, "database") }`
`290`	`290`
`291`	`291`	`override string getThreatModel() { result = "database" }`
`292`	`292`	`}`