Merge pull request #6319 from haby0/java/MyBatisSqlInjection

[Java] CWE-089 MyBatis Mapper Sql Injection

Author: smowton

java/ql/lib/semmle/code/java/frameworks/MyBatis.qll

@@ -24,3 +24,81 @@ private class SqlSinkCsv extends SinkModelCsv {
       ]
   }
 }
+
+/** The class `org.apache.ibatis.session.Configuration`. */
+class IbatisConfiguration extends RefType {
+  IbatisConfiguration() { this.hasQualifiedName("org.apache.ibatis.session", "Configuration") }
+}
+
+/**
+ * The method `getVariables()` declared in `org.apache.ibatis.session.Configuration`.
+ */
+class IbatisConfigurationGetVariablesMethod extends Method {
+  IbatisConfigurationGetVariablesMethod() {
+    this.getDeclaringType() instanceof IbatisConfiguration and
+    this.hasName("getVariables") and
+    this.getNumberOfParameters() = 0
+  }
+}
+
+/**
+ * An annotation type that identifies Ibatis select.
+ */
+private class IbatisSelectAnnotationType extends AnnotationType {
+  IbatisSelectAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Select") }
+}
+
+/**
+ * An annotation type that identifies Ibatis delete.
+ */
+private class IbatisDeleteAnnotationType extends AnnotationType {
+  IbatisDeleteAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Delete") }
+}
+
+/**
+ * An annotation type that identifies Ibatis insert.
+ */
+private class IbatisInsertAnnotationType extends AnnotationType {
+  IbatisInsertAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Insert") }
+}
+
+/**
+ * An annotation type that identifies Ibatis update.
+ */
+private class IbatisUpdateAnnotationType extends AnnotationType {
+  IbatisUpdateAnnotationType() { this.hasQualifiedName("org.apache.ibatis.annotations", "Update") }
+}
+
+/**
+ * An Ibatis SQL operation annotation.
+ */
+class IbatisSqlOperationAnnotation extends Annotation {
+  IbatisSqlOperationAnnotation() {
+    this.getType() instanceof IbatisSelectAnnotationType or
+    this.getType() instanceof IbatisDeleteAnnotationType or
+    this.getType() instanceof IbatisInsertAnnotationType or
+    this.getType() instanceof IbatisUpdateAnnotationType
+  }
+
+  /**
+   * Gets this annotation's SQL statement string.
+   */
+  string getSqlValue() {
+    result = this.getAValue("value").(CompileTimeConstantExpr).getStringValue()
+  }
+}
+
+/**
+ * Methods annotated with `@org.apache.ibatis.annotations.Select` or `@org.apache.ibatis.annotations.Delete`
+ * or `@org.apache.ibatis.annotations.Update` or `@org.apache.ibatis.annotations.Insert`.
+ */
+class MyBatisSqlOperationAnnotationMethod extends Method {
+  MyBatisSqlOperationAnnotationMethod() {
+    this.getAnAnnotation() instanceof IbatisSqlOperationAnnotation
+  }
+}
+
+/** The interface `org.apache.ibatis.annotations.Param`. */
+class TypeParam extends Interface {
+  TypeParam() { this.hasQualifiedName("org.apache.ibatis.annotations", "Param") }
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.java

@@ -0,0 +1,10 @@
+import org.apache.ibatis.annotations.Select;
+
+public interface MyBatisAnnotationSqlInjection {
+
+    @Select("select * from test where name = ${name}")
+	public Test bad1(String name);
+
+    @Select("select * from test where name = #{name}")
+	public Test good1(String name);
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.qhelp

@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>MyBatis uses methods with the annotations <code>@Select</code>, <code>@Insert</code>, etc. to construct dynamic SQL statements.
+If the syntax <code>${param}</code> is used in those statements, and <code>param</code> is a parameter of the annotated method, attackers can exploit this to tamper with the SQL statements or execute arbitrary SQL commands.</p>
+</overview>
+
+<recommendation>
+<p>
+When writing MyBatis mapping statements, use the syntax <code>#{xxx}</code> whenever possible. If the syntax <code>${xxx}</code> must be used, any parameters included in it should be sanitized to prevent SQL injection attacks.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following sample shows a bad and a good example of MyBatis annotations usage. The <code>bad1</code> method uses <code>$(name)</code> 
+in the <code>@Select</code> annotation to dynamically build a SQL statement, which causes a SQL injection vulnerability. 
+The <code>good1</code> method uses <code>#{name}</code> in the <code>@Select</code> annotation to dynamically include the parameter in a SQL statement, which causes the MyBatis framework to sanitize the input provided, preventing the vulnerability.
+</p>
+<sample src="MyBatisAnnotationSqlInjection.java" />
+</example>
+
+<references>
+<li>
+Fortify:
+<a href="https://vulncat.fortify.com/en/detail?id=desc.config.java.sql_injection_mybatis_mapper">SQL Injection: MyBatis Mapper</a>.
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -0,0 +1,60 @@
+/**
+ * @name SQL injection in MyBatis annotation
+ * @description Constructing a dynamic SQL statement with input that comes from an
+ *              untrusted source could allow an attacker to modify the statement's
+ *              meaning or to execute arbitrary SQL commands.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/mybatis-annotation-sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import java
+import DataFlow::PathGraph
+import MyBatisCommonLib
+import MyBatisAnnotationSqlInjectionLib
+import semmle.code.java.dataflow.FlowSources
+
+private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::Configuration {
+  MyBatisAnnotationSqlInjectionConfiguration() { this = "MyBatis annotation sql injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof MyBatisAnnotatedMethodCallArgument
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof TypeObject and
+      ma.getMethod().getName() = "toString" and
+      ma.getQualifier() = node1.asExpr() and
+      ma = node2.asExpr()
+    )
+  }
+}
+
+from
+  MyBatisAnnotationSqlInjectionConfiguration cfg, DataFlow::PathNode source,
+  DataFlow::PathNode sink, IbatisSqlOperationAnnotation isoa, MethodAccess ma,
+  string unsafeExpression
+where
+  cfg.hasFlowPath(source, sink) and
+  ma.getAnArgument() = sink.getNode().asExpr() and
+  myBatisSqlOperationAnnotationFromMethod(ma.getMethod(), isoa) and
+  unsafeExpression = getAMybatisAnnotationSqlValue(isoa) and
+  (
+    isMybatisXmlOrAnnotationSqlInjection(sink.getNode(), ma, unsafeExpression) or
+    isMybatisCollectionTypeSqlInjection(sink.getNode(), ma, unsafeExpression)
+  )
+select sink.getNode(), source, sink,
+  "MyBatis annotation SQL injection might include code from $@ to $@.", source.getNode(),
+  "this user input", isoa, "this SQL operation"

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll

@@ -0,0 +1,17 @@
+/**
+ * Provides classes for SQL injection detection regarding MyBatis annotated methods.
+ */
+
+import java
+import MyBatisCommonLib
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Properties
+
+/** An argument of a MyBatis annotated method. */
+class MyBatisAnnotatedMethodCallArgument extends DataFlow::Node {
+  MyBatisAnnotatedMethodCallArgument() {
+    exists(MyBatisSqlOperationAnnotationMethod msoam, MethodAccess ma | ma.getMethod() = msoam |
+      ma.getAnArgument() = this.asExpr()
+    )
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll

@@ -0,0 +1,184 @@
+/**
+ * Provides public classes for MyBatis SQL injection detection.
+ */
+
+import java
+import semmle.code.xml.MyBatisMapperXML
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.MyBatis
+import semmle.code.java.frameworks.Properties
+
+private predicate propertiesKey(DataFlow::Node prop, string key) {
+  exists(MethodAccess m |
+    m.getMethod() instanceof PropertiesSetPropertyMethod and
+    key = m.getArgument(0).(CompileTimeConstantExpr).getStringValue() and
+    prop.asExpr() = m.getQualifier()
+  )
+}
+
+/** A data flow configuration tracing flow from ibatis `Configuration.getVariables()` to a store into a `Properties` object. */
+private class PropertiesFlowConfig extends DataFlow2::Configuration {
+  PropertiesFlowConfig() { this = "PropertiesFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(MethodAccess ma | ma.getMethod() instanceof IbatisConfigurationGetVariablesMethod |
+      src.asExpr() = ma
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { propertiesKey(sink, _) }
+}
+
+/** Gets a `Properties` key that may map onto a Mybatis `Configuration` variable. */
+string getAMybatisConfigurationVariableKey() {
+  exists(PropertiesFlowConfig conf, DataFlow::Node n |
+    propertiesKey(n, result) and
+    conf.hasFlowTo(n)
+  )
+}
+
+/** A reference type that extends a parameterization of `java.util.List`. */
+class ListType extends RefType {
+  ListType() {
+    this.getSourceDeclaration().getASourceSupertype*().hasQualifiedName("java.util", "List")
+  }
+}
+
+/** Holds if the specified `method` uses MyBatis Mapper XMLElement `mmxx`. */
+predicate myBatisMapperXMLElementFromMethod(Method method, MyBatisMapperXMLElement mmxx) {
+  exists(MyBatisMapperSqlOperation mbmxe | mbmxe.getMapperMethod() = method |
+    mbmxe.getAChild*() = mmxx
+    or
+    exists(MyBatisMapperSql mbms |
+      mbmxe.getInclude().getRefid() = mbms.getId() and
+      mbms.getAChild*() = mmxx
+    )
+  )
+}
+
+/** Holds if the specified `method` has Ibatis Sql operation annotation `isoa`. */
+predicate myBatisSqlOperationAnnotationFromMethod(Method method, IbatisSqlOperationAnnotation isoa) {
+  exists(MyBatisSqlOperationAnnotationMethod msoam |
+    msoam = method and
+    msoam.getAnAnnotation() = isoa
+  )
+}
+
+/** Gets a `#{...}` or `${...}` expression argument in XML element `xmle`. */
+string getAMybatisXmlSetValue(XMLElement xmle) {
+  result = xmle.getTextValue().regexpFind("(#|\\$)\\{[^\\}]*\\}", _, _)
+}
+
+/** Gets a `#{...}` or `${...}` expression argument in annotation `isoa`. */
+string getAMybatisAnnotationSqlValue(IbatisSqlOperationAnnotation isoa) {
+  result = isoa.getSqlValue().regexpFind("(#|\\$)\\{[^\\}]*\\}", _, _)
+}
+
+/**
+ * Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression.
+ *
+ * This case currently assumes all `${...}` expressions are potentially dangerous when there is a non-`@Param` annotated, collection-typed parameter to `ma`.
+ */
+bindingset[unsafeExpression]
+predicate isMybatisCollectionTypeSqlInjection(
+  DataFlow::Node node, MethodAccess ma, string unsafeExpression
+) {
+  not unsafeExpression.regexpMatch("\\$\\{" + getAMybatisConfigurationVariableKey() + "\\}") and
+  // The parameter type of the MyBatis method parameter is Map or List or Array.
+  // SQL injection vulnerability caused by improper use of this parameter.
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test where name like '%${value}%')
+  //    Test test(Map map);
+  // ```
+  exists(int i |
+    not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
+    (
+      ma.getMethod().getParameterType(i) instanceof MapType or
+      ma.getMethod().getParameterType(i) instanceof ListType or
+      ma.getMethod().getParameterType(i) instanceof Array
+    ) and
+    unsafeExpression.matches("${%}") and
+    ma.getArgument(i) = node.asExpr()
+  )
+}
+
+/**
+ * Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression.
+ *
+ * This accounts for:
+ * - arguments referred to by a name given in a `@Param` annotation,
+ * - arguments referred to by ordinal position, like `${param1}`
+ * - references to class instance fields
+ * - any `${}` expression where there is a single, non-`@Param`-annotated argument to `ma`.
+ */
+bindingset[unsafeExpression]
+predicate isMybatisXmlOrAnnotationSqlInjection(
+  DataFlow::Node node, MethodAccess ma, string unsafeExpression
+) {
+  not unsafeExpression.regexpMatch("\\$\\{" + getAMybatisConfigurationVariableKey() + "\\}") and
+  (
+    // The method parameters use `@Param` annotation. Due to improper use of this parameter, SQL injection vulnerabilities are caused.
+    // e.g.
+    //
+    // ```java
+    //    @Select(select id,name from test order by ${orderby,jdbcType=VARCHAR})
+    //    void test(@Param("orderby") String name);
+    // ```
+    exists(Annotation annotation |
+      unsafeExpression
+          .matches("${" + annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
+              "%}") and
+      annotation.getType() instanceof TypeParam and
+      ma.getAnArgument() = node.asExpr()
+    )
+    or
+    // MyBatis default parameter sql injection vulnerabilities.the default parameter form of the method is arg[0...n] or param[1...n].
+    // e.g.
+    //
+    // ```java
+    //    @Select(select id,name from test order by ${arg0,jdbcType=VARCHAR})
+    //    void test(String name);
+    // ```
+    exists(int i |
+      not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
+      (
+        unsafeExpression.matches("${param" + (i + 1) + "%}")
+        or
+        unsafeExpression.matches("${arg" + i + "%}")
+      ) and
+      ma.getArgument(i) = node.asExpr()
+    )
+    or
+    // SQL injection vulnerability caused by improper use of MyBatis instance class fields.
+    // e.g.
+    //
+    // ```java
+    //    @Select(select id,name from test order by ${name,jdbcType=VARCHAR})
+    //    void test(Test test);
+    // ```
+    exists(int i, RefType t |
+      not ma.getMethod().getParameter(i).getAnAnnotation().getType() instanceof TypeParam and
+      ma.getMethod().getParameterType(i).getName() = t.getName() and
+      unsafeExpression.matches("${" + t.getAField().getName() + "%}") and
+      ma.getArgument(i) = node.asExpr()
+    )
+    or
+    // This method has only one parameter and the parameter is not annotated with `@Param`. The parameter can be named arbitrarily in the SQL statement.
+    // If the number of method variables is greater than one, they cannot be named arbitrarily.
+    // Improper use of this parameter has a SQL injection vulnerability.
+    // e.g.
+    //
+    // ```java
+    //    @Select(select id,name from test where name like '%${value}%')
+    //    Test test(String name);
+    // ```
+    exists(int i | i = 1 |
+      ma.getMethod().getNumberOfParameters() = i and
+      not ma.getMethod().getAParameter().getAnAnnotation().getType() instanceof TypeParam and
+      unsafeExpression.matches("${%}") and
+      ma.getAnArgument() = node.asExpr()
+    )
+  )
+}