Skip to content

Commit 470256d

Browse files
smowtonsmowton
authored
Copyedit
1 parent d0a19ff commit 470256d

File tree

1 file changed

+16
-4
lines changed

1 file changed

+16
-4
lines changed

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ private predicate propertiesKey(DataFlow::Node prop, string key) {
1616
)
1717
}
1818

19-
/** A data flow configuration tracing flow from ibatis obtaining the variable configuration object to setting the value of the variable. */
19+
/** A data flow configuration tracing flow from ibatis `Configuration.getVariables()` to a store into a `Properties` object. */
2020
private class PropertiesFlowConfig extends DataFlow2::Configuration {
2121
PropertiesFlowConfig() { this = "PropertiesFlowConfig" }
2222

@@ -29,7 +29,7 @@ private class PropertiesFlowConfig extends DataFlow2::Configuration {
2929
override predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
3030
}
3131

32-
/** Get the key value of Mybatis Configuration Variable. */
32+
/** Gets a `Properties` key that may map onto a Mybatis `Configuration` variable. */
3333
string getAMybatisConfigurationVariableKey() {
3434
exists(PropertiesFlowConfig conf, DataFlow::Node n |
3535
propertiesKey(n, result) and
@@ -74,7 +74,11 @@ string getAMybatisAnnotationSqlValue(IbatisSqlOperationAnnotation isoa) {
7474
result = isoa.getSqlValue().regexpFind("(#|\\$)\\{[^\\}]*\\}", _, _)
7575
}
7676

77-
/** Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression. */
77+
/**
78+
* Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression.
79+
*
80+
* This case currently assumes all `${...}` expressions are potentially dangerous when there is a non-`@Param` annotated, collection-typed parameter to `ma`.
81+
*/
7882
bindingset[unsafeExpression]
7983
predicate isMybatisCollectionTypeSqlInjection(
8084
DataFlow::Node node, MethodAccess ma, string unsafeExpression
@@ -100,7 +104,15 @@ predicate isMybatisCollectionTypeSqlInjection(
100104
)
101105
}
102106

103-
/** Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression. */
107+
/**
108+
* Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression.
109+
*
110+
* This accounts for:
111+
* - arguments referred to by a name given in a `@Param` annotation,
112+
* - arguments referred to by ordinal position, like `${param1}`
113+
* - references to class instance fields
114+
* - any `${}` expression where there is a single, non-`@Param`-annotated argument to `ma`.
115+
*/
104116
bindingset[unsafeExpression]
105117
predicate isMybatisXmlOrAnnotationSqlInjection(
106118
DataFlow::Node node, MethodAccess ma, string unsafeExpression

0 commit comments

Comments
 (0)