Skip to content

Commit b873285

Browse files
haby0haby0
committed
Add isSanitizerGuard, verify file path
1 parent 31400df commit b873285

File tree

12 files changed

+41
-2
lines changed

12 files changed

+41
-2
lines changed

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@
1414
import java
1515
import DataFlow::PathGraph
1616
import MyBatisMapperXmlSqlInjectionLib
17+
import semmle.code.java.security.SanitizerGuard
1718
import semmle.code.java.dataflow.FlowSources
1819

1920
private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::Configuration {
@@ -30,6 +31,10 @@ private class MyBatisMapperXmlSqlInjectionConfiguration extends TaintTracking::C
3031
node.getType() instanceof BoxedType or
3132
node.getType() instanceof NumberType
3233
}
34+
35+
override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
36+
guard instanceof ContainsSanitizer or guard instanceof EqualsSanitizer
37+
}
3338
}
3439

3540
from

java/ql/src/semmle/code/java/security/SanitizerGuard.qll

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
/**
2+
* Provide universal sanitizer guards.
3+
*/
4+
5+
import java
6+
import semmle.code.java.dataflow.DataFlow
7+
8+
/**
9+
* An contains method sanitizer guard.
10+
*
11+
* e.g. `if(test.contains("test")) {...`
12+
*/
13+
class ContainsSanitizer extends DataFlow::BarrierGuard {
14+
ContainsSanitizer() { this.(MethodAccess).getMethod().hasName("contains") }
15+
16+
override predicate checks(Expr e, boolean branch) {
17+
e = this.(MethodAccess).getArgument(0) and branch = true
18+
}
19+
}
20+
21+
/**
22+
* An equals method sanitizer guard.
23+
*
24+
* e.g. `if("test".equals(test)) {...`
25+
*/
26+
class EqualsSanitizer extends DataFlow::BarrierGuard {
27+
EqualsSanitizer() { this.(MethodAccess).getMethod().hasName("equals") }
28+
29+
override predicate checks(Expr e, boolean branch) {
30+
e = [this.(MethodAccess).getArgument(0), this.(MethodAccess).getQualifier()] and
31+
branch = true
32+
}
33+
}

java/ql/src/semmle/code/xml/MyBatisMapperXML.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,8 @@ import java
66
class MyBatisMapperXMLFile extends XMLFile {
77
MyBatisMapperXMLFile() {
88
count(XMLElement e | e = this.getAChild()) = 1 and
9-
this.getAChild().getName() = "mapper"
9+
this.getAChild().getName() = "mapper" and
10+
this.getFile().getAbsolutePath().indexOf("/src/main") > 0
1011
}
1112
}
1213

java/ql/test/experimental/query-tests/security/CWE-089/options

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/experimental/query-tests/security/CWE-089/MyBatisMapperXmlSqlInjection.expected renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.expected

File renamed without changes.

java/ql/test/experimental/query-tests/security/CWE-089/MyBatisMapperXmlSqlInjection.qlref renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.qlref

File renamed without changes.

java/ql/test/experimental/query-tests/security/CWE-089/MybatisSqlInjection.java renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java

File renamed without changes.

java/ql/test/experimental/query-tests/security/CWE-089/MybatisSqlInjectionService.java renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java

File renamed without changes.

java/ql/test/experimental/query-tests/security/CWE-089/SqlInjectionMapper.java renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java

File renamed without changes.

java/ql/test/experimental/query-tests/security/CWE-089/SqlInjectionMapper.xml renamed to java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.xml

File renamed without changes.

0 commit comments

Comments
 (0)