Java: add a class for PreparedStatement methods that update a database

Jami Cogswell · Jami Cogswell · commit 43a288070c03 · 2025-01-30T10:13:37.000-05:00
diff --git a/java/ql/lib/semmle/code/java/frameworks/Jdbc.qll b/java/ql/lib/semmle/code/java/frameworks/Jdbc.qll
@@ -34,3 +34,19 @@ class ResultSetGetStringMethod extends Method {
     this.getReturnType() instanceof TypeString
   }
 }
+
+/** A method with the name `executeUpdate` declared in `java.sql.PreparedStatement`. */
+class PreparedStatementExecuteUpdateMethod extends Method {
+  PreparedStatementExecuteUpdateMethod() {
+    this.getDeclaringType() instanceof TypePreparedStatement and
+    this.hasName("executeUpdate")
+  }
+}
+
+/** A method with the name `executeLargeUpdate` declared in `java.sql.PreparedStatement`. */
+class PreparedStatementExecuteLargeUpdateMethod extends Method {
+  PreparedStatementExecuteLargeUpdateMethod() {
+    this.getDeclaringType() instanceof TypePreparedStatement and
+    this.hasName("executeLargeUpdate")
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
@@ -3,6 +3,7 @@
 import java
 private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.MyBatis
+private import semmle.code.java.frameworks.Jdbc
 
 /** A method that is not protected from CSRF by default. */
 abstract class CsrfUnprotectedMethod extends Method { }
@@ -45,3 +46,11 @@ private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {
     )
   }
 }
+
+/** A method declared in `java.sql.PreparedStatement` that updates a database. */
+private class PreparedStatementDatabaseUpdateMethod extends DatabaseUpdateMethod {
+  PreparedStatementDatabaseUpdateMethod() {
+    this instanceof PreparedStatementExecuteUpdateMethod or
+    this instanceof PreparedStatementExecuteLargeUpdateMethod
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@`
`3`	`3`	`import java`
`4`	`4`	`private import semmle.code.java.frameworks.spring.SpringController`
`5`	`5`	`private import semmle.code.java.frameworks.MyBatis`
	`6`	`+private import semmle.code.java.frameworks.Jdbc`
`6`	`7`
`7`	`8`	`/** A method that is not protected from CSRF by default. */`
`8`	`9`	`abstract class CsrfUnprotectedMethod extends Method { }`
`@@ -45,3 +46,11 @@ private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {`
`45`	`46`	`)`
`46`	`47`	`}`
`47`	`48`	`}`
	`49`	`+`
	`50`	+/** A method declared in `java.sql.PreparedStatement` that updates a database. */
	`51`	`+private class PreparedStatementDatabaseUpdateMethod extends DatabaseUpdateMethod {`
	`52`	`+ PreparedStatementDatabaseUpdateMethod() {`
	`53`	`+ this instanceof PreparedStatementExecuteUpdateMethod or`
	`54`	`+ this instanceof PreparedStatementExecuteLargeUpdateMethod`
	`55`	`+ }`
	`56`	`+}`