Add MyBatis Mapper Sql Injection

Author: haby0

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>The MyBatis Mapper XML file allows the use of the $ character to construct dynamic SQL statements.
+ Attackers can modify the meaning of statements or execute arbitrary SQL commands.</p>
+</overview>
+
+<<recommendation>
+<p>
+When writing MyBatis mapping statements, try to use the format "#{xxx}". If you have to use parameters 
+such as "${xxx}", you must manually filter to prevent SQL injection attacks.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following examples show the bad situation and the good situation respectively. In <code>bad1</code> 
+and <code>bad2</code> and <code>bad3</code> and <code>bad4</code> and <code >bad5</code>, the program 
+${ xxx} are dynamic SQL statements, these five examples of SQL injection vulnerabilities. In <code>good1</code>, 
+the program uses the ${xxx} dynamic feature SQL statement, but there are subtle restrictions on the data, 
+and there is no SQL injection vulnerability.
+</p>
+<sample src="MyBatisMapperXmlSqlInjection.xml" />
+</example>
+
+<references>
+<li>
+Fortify:
+<a href="https://vulncat.fortify.com/en/detail?id=desc.config.java.sql_injection_mybatis_mapper">SQL Injection: MyBatis Mapper</a>.
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

@@ -0,0 +1,39 @@
+/**
+ * @name MyBatis Mapper xml sql injection
+ * @description Constructing a dynamic SQL statement with input that comes from an
+ *              untrusted source could allow an attacker to modify the statement's
+ *              meaning or to execute arbitrary SQL commands.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import java
+import DataFlow::PathGraph
+import MyBatisMapperXmlSqlInjectionLib
+import semmle.code.java.dataflow.FlowSources
+
+/**
+ * A taint-tracking configuration for tracking untrusted user input used by the Mybatis mapper xml file dynamic splicing sql use.
+ */
+private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::Configuration {
+  MyBatisMapperXmlSqlInjectionConfiguration() { this = "MyBatis mapper xml sql injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof MyBatisMapperXmlSqlInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
+  }
+}
+
+from MyBatisMapperXmlSqlInjectionConfiguration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink.getNode(), source, sink, "MyBatis Mapper XML sql injection might include code from $@.", source.getNode(),
+  "this user input"

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.xml

@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN"
+  "http://mybatis.org/dtd/mybatis-3-mapper.dtd" >
+<mapper namespace="SqlInjectionMapper">
+
+  <resultMap id="BaseResultMap" type="Test">
+    <id column="id" jdbcType="INTEGER" property="id"/>
+    <result column="name" jdbcType="VARCHAR" property="name"/>
+    <result column="pass" jdbcType="VARCHAR" property="pass"/>
+  </resultMap>
+
+  <sql id="Update_By_Example_Where_Clause">
+    <where>
+      <if test="name != null">
+        -- bad
+        and name = ${name}
+      </if>
+      <if test="id != null">
+        and id = #{id}
+      </if>
+    </where>
+  </sql>
+
+  <select id="bad1" parameterType="java.lang.String" resultMap="BaseResultMap">
+    -- bad
+    select id,name from test where name like '%${name}%'
+  </select>
+
+  <select id="bad2" parameterType="java.lang.String" resultMap="BaseResultMap">
+    -- bad
+    select id,name from test order by ${name} desc
+  </select>
+
+  <select id="bad3" parameterType="java.lang.String" resultMap="BaseResultMap">
+    -- bad
+    select id,name from test where name in ${name}
+  </select>
+
+  <update id="bad4" parameterType="Test">
+    update test
+    <set>
+      <if test="pass != null">
+        pass = #{pass},
+      </if>
+    </set>
+    <if test="_parameter != null">
+      -- bad
+      <include refid="Update_By_Example_Where_Clause" />
+    </if>
+  </update>
+
+  <insert id="bad5" parameterType="Test">
+    insert into test (name, pass)
+    <trim prefix="values (" suffix=")" suffixOverrides=",">
+      <if test="name != null">
+        -- bad
+        name = ${name},
+      </if>
+      <if test="pass != null">
+        -- bad
+        pass = ${pass},
+      </if>
+    </trim>
+  </insert>
+
+  <select id="good1" parameterType="java.lang.Integer" resultMap="BaseResultMap">
+    -- good
+    select id,name from test where id = ${id}
+  </select>
+</mapper>

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjectionLib.qll

@@ -0,0 +1,25 @@
+import java
+import semmle.code.xml.MyBatisMapperXML
+import semmle.code.java.dataflow.FlowSources
+
+/** A sink for MyBatis Mapper XML file sql injection vulnerabilities. */
+class MyBatisMapperXmlSqlInjectionSink extends DataFlow::Node {
+  MyBatisMapperXmlSqlInjectionSink() {
+    exists(MyBatisMapperSqlOperation mbmxe, MethodAccess ma |
+      mbmxe.getAChild*().getTextValue().trim().matches("%${%") and
+      mbmxe.getId() = ma.getMethod().getName() and
+      ma.getMethod().getDeclaringType() =
+        mbmxe.getParent().(MyBatisMapperXMLElement).getNamespaceRefType() and
+      ma.getAnArgument() = this.asExpr()
+    )
+    or
+    exists(MyBatisMapperSqlOperation mbmxe, MyBatisMapperSql mbms, MethodAccess ma |
+      mbmxe.getInclude().getRefid() = mbms.getId() and
+      mbms.getAChild*().getTextValue().trim().matches("%${%") and
+      mbmxe.getId() = ma.getMethod().getName() and
+      ma.getMethod().getDeclaringType() =
+        mbmxe.getParent().(MyBatisMapperXMLElement).getNamespaceRefType() and
+      ma.getAnArgument() = this.asExpr()
+    )
+  }
+}

java/ql/src/semmle/code/xml/MyBatisMapperXML.qll

@@ -0,0 +1,112 @@
+import java
+
+/**
+ * MyBatis Mapper XML file.
+ */
+class MyBatisMapperXMLFile extends XMLFile {
+  MyBatisMapperXMLFile() {
+    count(XMLElement e | e = this.getAChild()) = 1 and
+    this.getAChild().getName() = "mapper"
+  }
+}
+
+/**
+ * An XML element in a `MyBatisMapperXMLFile`.
+ */
+class MyBatisMapperXMLElement extends XMLElement {
+  MyBatisMapperXMLElement() { this.getFile() instanceof MyBatisMapperXMLFile }
+
+  /**
+   * Gets the value for this element, with leading and trailing whitespace trimmed.
+   */
+  string getValue() { result = allCharactersString().trim() }
+
+  /**
+   * Gets the reference type bound to MyBatis Mapper XML File.
+   */
+  RefType getNamespaceRefType() { result.getQualifiedName() = getAttribute("namespace").getValue() }
+}
+
+/**
+ * An MyBatis Mapper sql operation element.
+ */
+abstract class MyBatisMapperSqlOperation extends MyBatisMapperXMLElement {
+  abstract string getId();
+
+  /**
+   * Gets the `<include>` element in a `MyBatisMapperSqlOperation`.
+   */
+  MyBatisMapperInclude getInclude() { result = getAChild*() }
+}
+
+/**
+ * A `<insert>` element in a `MyBatisMapperSqlOperation`.
+ */
+class MyBatisMapperInsert extends MyBatisMapperSqlOperation {
+  MyBatisMapperInsert() { getName() = "insert" }
+
+  /**
+   * Gets the value of the `id` attribute of this `<insert>`.
+   */
+  override string getId() { result = getAttribute("id").getValue() }
+}
+
+/**
+ * A `<update>` element in a `MyBatisMapperSqlOperation`.
+ */
+class MyBatisMapperUpdate extends MyBatisMapperSqlOperation {
+  MyBatisMapperUpdate() { getName() = "update" }
+
+  /**
+   * Gets the value of the `id` attribute of this `<update>`.
+   */
+  override string getId() { result = getAttribute("id").getValue() }
+}
+
+/**
+ * A `<delete>` element in a `MyBatisMapperSqlOperation`.
+ */
+class MyBatisMapperDelete extends MyBatisMapperSqlOperation {
+  MyBatisMapperDelete() { getName() = "delete" }
+
+  /**
+   * Gets the value of the `id` attribute of this `<delete>`.
+   */
+  override string getId() { result = getAttribute("id").getValue() }
+}
+
+/**
+ * A `<select>` element in a `MyBatisMapperSqlOperation`.
+ */
+class MyBatisMapperSelect extends MyBatisMapperSqlOperation {
+  MyBatisMapperSelect() { getName() = "select" }
+
+  /**
+   * Gets the value of the `id` attribute of this `<select>`.
+   */
+  override string getId() { result = getAttribute("id").getValue() }
+}
+
+/**
+ * A `<select>` element in a `MyBatisMapperXMLElement`.
+ */
+class MyBatisMapperSql extends MyBatisMapperXMLElement {
+  MyBatisMapperSql() { getName() = "sql" }
+
+  /**
+   * Gets the value of the `id` attribute of this `<sql>`.
+   */
+  string getId() { result = getAttribute("id").getValue() }
+}
+
+/**
+ * A `<include>` element in a `MyBatisMapperXMLElement`.
+ */
+class MyBatisMapperInclude extends MyBatisMapperXMLElement {
+  MyBatisMapperInclude() { getName() = "include" }
+
+  /**
+   * Gets the value of the `refid` attribute of this `<include>`.
+   */
+  string getRefid() { result = getAttribute("refid").getValue() }
+}

java/ql/test/experimental/query-tests/security/CWE-089/MyBatisMapperXmlSqlInjection.expected

@@ -0,0 +1,43 @@
+edges
+| MybatisSqlInjection.java:16:25:16:35 | name : String | MybatisSqlInjection.java:17:55:17:58 | name : String |
+| MybatisSqlInjection.java:17:55:17:58 | name : String | MybatisSqlInjectionService.java:11:25:11:35 | name : String |
+| MybatisSqlInjection.java:22:25:22:35 | name : String | MybatisSqlInjection.java:23:55:23:58 | name : String |
+| MybatisSqlInjection.java:23:55:23:58 | name : String | MybatisSqlInjectionService.java:16:25:16:35 | name : String |
+| MybatisSqlInjection.java:28:25:28:35 | name : String | MybatisSqlInjection.java:29:55:29:58 | name : String |
+| MybatisSqlInjection.java:29:55:29:58 | name : String | MybatisSqlInjectionService.java:21:25:21:35 | name : String |
+| MybatisSqlInjection.java:34:19:34:40 | test : Test | MybatisSqlInjection.java:35:35:35:38 | test : Test |
+| MybatisSqlInjection.java:35:35:35:38 | test : Test | MybatisSqlInjectionService.java:26:19:26:27 | test : Test |
+| MybatisSqlInjection.java:39:19:39:40 | test : Test | MybatisSqlInjection.java:40:35:40:38 | test : Test |
+| MybatisSqlInjection.java:40:35:40:38 | test : Test | MybatisSqlInjectionService.java:30:19:30:27 | test : Test |
+| MybatisSqlInjectionService.java:11:25:11:35 | name : String | MybatisSqlInjectionService.java:12:47:12:50 | name |
+| MybatisSqlInjectionService.java:16:25:16:35 | name : String | MybatisSqlInjectionService.java:17:47:17:50 | name |
+| MybatisSqlInjectionService.java:21:25:21:35 | name : String | MybatisSqlInjectionService.java:22:47:22:50 | name |
+| MybatisSqlInjectionService.java:26:19:26:27 | test : Test | MybatisSqlInjectionService.java:27:27:27:30 | test |
+| MybatisSqlInjectionService.java:30:19:30:27 | test : Test | MybatisSqlInjectionService.java:31:27:31:30 | test |
+nodes
+| MybatisSqlInjection.java:16:25:16:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:17:55:17:58 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:22:25:22:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:23:55:23:58 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:28:25:28:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:29:55:29:58 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:34:19:34:40 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:35:35:35:38 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:39:19:39:40 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjection.java:40:35:40:38 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:11:25:11:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:12:47:12:50 | name | semmle.label | name |
+| MybatisSqlInjectionService.java:16:25:16:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:17:47:17:50 | name | semmle.label | name |
+| MybatisSqlInjectionService.java:21:25:21:35 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:22:47:22:50 | name | semmle.label | name |
+| MybatisSqlInjectionService.java:26:19:26:27 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:27:27:27:30 | test | semmle.label | test |
+| MybatisSqlInjectionService.java:30:19:30:27 | test : Test | semmle.label | test : Test |
+| MybatisSqlInjectionService.java:31:27:31:30 | test | semmle.label | test |
+#select
+| MybatisSqlInjectionService.java:12:47:12:50 | name | MybatisSqlInjection.java:16:25:16:35 | name : String | MybatisSqlInjectionService.java:12:47:12:50 | name | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:16:25:16:35 | name | this user input |
+| MybatisSqlInjectionService.java:17:47:17:50 | name | MybatisSqlInjection.java:22:25:22:35 | name : String | MybatisSqlInjectionService.java:17:47:17:50 | name | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:22:25:22:35 | name | this user input |
+| MybatisSqlInjectionService.java:22:47:22:50 | name | MybatisSqlInjection.java:28:25:28:35 | name : String | MybatisSqlInjectionService.java:22:47:22:50 | name | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:28:25:28:35 | name | this user input |
+| MybatisSqlInjectionService.java:27:27:27:30 | test | MybatisSqlInjection.java:34:19:34:40 | test : Test | MybatisSqlInjectionService.java:27:27:27:30 | test | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:34:19:34:40 | test | this user input |
+| MybatisSqlInjectionService.java:31:27:31:30 | test | MybatisSqlInjection.java:39:19:39:40 | test : Test | MybatisSqlInjectionService.java:31:27:31:30 | test | MyBatis Mapper XML sql injection might include code from $@. | MybatisSqlInjection.java:39:19:39:40 | test | this user input |

java/ql/test/experimental/query-tests/security/CWE-089/MyBatisMapperXmlSqlInjection.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

java/ql/test/experimental/query-tests/security/CWE-089/MybatisSqlInjection.java

@@ -0,0 +1,48 @@
+import java.util.List;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+
+@Controller
+public class MybatisSqlInjection {
+
+	@Autowired
+	private MybatisSqlInjectionService mybatisSqlInjectionService;
+
+	@GetMapping(value = "bad1")
+	public List<Test> bad1(String name) {
+		List<Test> result = mybatisSqlInjectionService.bad1(name);
+		return result;
+	}
+
+	@GetMapping(value = "bad2")
+	public List<Test> bad2(String name) {
+		List<Test> result = mybatisSqlInjectionService.bad2(name);
+		return result;
+	}
+
+	@GetMapping(value = "bad3")
+	public List<Test> bad3(String name) {
+		List<Test> result = mybatisSqlInjectionService.bad3(name);
+		return result;
+	}
+
+	@RequestMapping(value = "bad4", method = RequestMethod.POST, produces = "application/json")
+	public void bad4(@RequestBody Test test) {
+		mybatisSqlInjectionService.bad4(test);
+	}
+
+	@RequestMapping(value = "bad5", method = RequestMethod.PUT, produces = "application/json")
+	public void bad5(@RequestBody Test test) {
+		mybatisSqlInjectionService.bad5(test);
+	}
+
+	@GetMapping(value = "good1")
+	public List<Test> good1(Integer id) {
+		List<Test> result = mybatisSqlInjectionService.good1(id);
+		return result;
+	}
+}