Java: add a class for MyBatis Mapper methods that update a database

Jami Cogswell · Jami Cogswell · commit 8e9f21dc5222 · 2025-01-30T10:01:43.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
@@ -27,3 +27,20 @@ private class SpringCsrfUnprotectedMethod extends CsrfUnprotectedMethod instance
     )
   }
 }
+
+/** A method that updates a database. */
+abstract class DatabaseUpdateMethod extends Method { }
+
+/** A MyBatis Mapper method that updates a database. */
+private class MyBatisMapperDatabaseUpdateMethod extends DatabaseUpdateMethod {
+  MyBatisMapperDatabaseUpdateMethod() {
+    exists(MyBatisMapperSqlOperation mapperXml |
+      (
+        mapperXml instanceof MyBatisMapperInsert or
+        mapperXml instanceof MyBatisMapperUpdate or
+        mapperXml instanceof MyBatisMapperDelete
+      ) and
+      this = mapperXml.getMapperMethod()
+    )
+  }
+}
