add test case

haby0 · haby0 · commit d36a7ed10ea8 · 2021-11-25T15:47:32.000+08:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.xml b/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.xml
@@ -67,4 +67,9 @@
     -- good
     select id,name from test where id = ${id}
   </select>
+
+  <select id="good2" parameterType="java.lang.String" resultMap="BaseResultMap">
+    -- good
+    select id,name from test where name = #{name}
+  </select>
 </mapper>
diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.expected b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MyBatisMapperXmlSqlInjection.expected
@@ -15,6 +15,8 @@ edges
 | MybatisSqlInjection.java:53:35:53:40 | params : List | MybatisSqlInjectionService.java:39:19:39:37 | params : List |
 | MybatisSqlInjection.java:57:19:57:46 | params : String[] | MybatisSqlInjection.java:58:35:58:40 | params : String[] |
 | MybatisSqlInjection.java:58:35:58:40 | params : String[] | MybatisSqlInjectionService.java:43:19:43:33 | params : String[] |
+| MybatisSqlInjection.java:68:26:68:36 | name : String | MybatisSqlInjection.java:69:56:69:59 | name : String |
+| MybatisSqlInjection.java:69:56:69:59 | name : String | MybatisSqlInjectionService.java:52:26:52:36 | name : String |
 | MybatisSqlInjectionService.java:12:25:12:35 | name : String | MybatisSqlInjectionService.java:13:47:13:50 | name |
 | MybatisSqlInjectionService.java:17:25:17:35 | name : String | MybatisSqlInjectionService.java:18:47:18:50 | name |
 | MybatisSqlInjectionService.java:22:25:22:33 | test : Test | MybatisSqlInjectionService.java:23:47:23:50 | test |
@@ -23,6 +25,7 @@ edges
 | MybatisSqlInjectionService.java:35:19:35:44 | params : Map | MybatisSqlInjectionService.java:36:27:36:32 | params |
 | MybatisSqlInjectionService.java:39:19:39:37 | params : List | MybatisSqlInjectionService.java:40:27:40:32 | params |
 | MybatisSqlInjectionService.java:43:19:43:33 | params : String[] | MybatisSqlInjectionService.java:44:27:44:32 | params |
+| MybatisSqlInjectionService.java:52:26:52:36 | name : String | MybatisSqlInjectionService.java:53:48:53:51 | name |
 nodes
 | MybatisSqlInjection.java:19:25:19:49 | name : String | semmle.label | name : String |
 | MybatisSqlInjection.java:20:55:20:58 | name : String | semmle.label | name : String |
@@ -40,6 +43,8 @@ nodes
 | MybatisSqlInjection.java:53:35:53:40 | params : List | semmle.label | params : List |
 | MybatisSqlInjection.java:57:19:57:46 | params : String[] | semmle.label | params : String[] |
 | MybatisSqlInjection.java:58:35:58:40 | params : String[] | semmle.label | params : String[] |
+| MybatisSqlInjection.java:68:26:68:36 | name : String | semmle.label | name : String |
+| MybatisSqlInjection.java:69:56:69:59 | name : String | semmle.label | name : String |
 | MybatisSqlInjectionService.java:12:25:12:35 | name : String | semmle.label | name : String |
 | MybatisSqlInjectionService.java:13:47:13:50 | name | semmle.label | name |
 | MybatisSqlInjectionService.java:17:25:17:35 | name : String | semmle.label | name : String |
@@ -56,6 +61,8 @@ nodes
 | MybatisSqlInjectionService.java:40:27:40:32 | params | semmle.label | params |
 | MybatisSqlInjectionService.java:43:19:43:33 | params : String[] | semmle.label | params : String[] |
 | MybatisSqlInjectionService.java:44:27:44:32 | params | semmle.label | params |
+| MybatisSqlInjectionService.java:52:26:52:36 | name : String | semmle.label | name : String |
+| MybatisSqlInjectionService.java:53:48:53:51 | name | semmle.label | name |
 #select
 | MybatisSqlInjectionService.java:13:47:13:50 | name | MybatisSqlInjection.java:19:25:19:49 | name : String | MybatisSqlInjectionService.java:13:47:13:50 | name | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:19:25:19:49 | name | this user input | SqlInjectionMapper.xml:23:3:25:12 | select | this sql operation |
 | MybatisSqlInjectionService.java:18:47:18:50 | name | MybatisSqlInjection.java:25:25:25:49 | name : String | MybatisSqlInjectionService.java:18:47:18:50 | name | MyBatis Mapper XML sql injection might include code from $@ to $@. | MybatisSqlInjection.java:25:25:25:49 | name | this user input | SqlInjectionMapper.xml:27:3:29:12 | select | this sql operation |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java
@@ -54,7 +54,7 @@ public void bad7(@RequestBody List<String> params) {
 	}
 
 	@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")
-	public void bad7(@RequestBody String[] params) {
+	public void bad8(@RequestBody String[] params) {
 		mybatisSqlInjectionService.bad8(params);
 	}
 
@@ -63,4 +63,10 @@ public List<Test> good1(Integer id) {
 		List<Test> result = mybatisSqlInjectionService.good1(id);
 		return result;
 	}
+
+	@GetMapping(value = "good2")
+	public List<Test> good2(String name) {
+		List<Test> result = mybatisSqlInjectionService.good2(name);
+		return result;
+	}
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java
@@ -48,4 +48,9 @@ public List<Test> good1(Integer id) {
 		List<Test> result = sqlInjectionMapper.good1(id);
 		return result;
 	}
+
+	public List<Test> good2(String name) {
+		List<Test> result = sqlInjectionMapper.good2(name);
+		return result;
+	}
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java
@@ -25,4 +25,6 @@ public interface SqlInjectionMapper {
 	void bad8(String[] params);
 
 	List<Test> good1(Integer id);
+
+	List<Test> good2(String name);
 }
diff --git a/java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.xml b/java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.xml
@@ -77,4 +77,8 @@
   <select id="good1" parameterType="java.lang.Integer" resultMap="BaseResultMap">
     select id,name from test where id = ${id}
   </select>
+
+  <select id="good2" parameterType="java.lang.String" resultMap="BaseResultMap">
+    select id,name from test where name = #{name}
+  </select>
 </mapper>

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public void bad7(@RequestBody List<String> params) {`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`@RequestMapping(value = "msi8", method = RequestMethod.POST, produces = "application/json")`
`57`		`- public void bad7(@RequestBody String[] params) {`
	`57`	`+ public void bad8(@RequestBody String[] params) {`
`58`	`58`	`mybatisSqlInjectionService.bad8(params);`
`59`	`59`	`}`
`60`	`60`
`@@ -63,4 +63,10 @@ public List<Test> good1(Integer id) {`
`63`	`63`	`List<Test> result = mybatisSqlInjectionService.good1(id);`
`64`	`64`	`return result;`
`65`	`65`	`}`
	`66`	`+`
	`67`	`+ @GetMapping(value = "good2")`
	`68`	`+ public List<Test> good2(String name) {`
	`69`	`+ List<Test> result = mybatisSqlInjectionService.good2(name);`
	`70`	`+ return result;`
	`71`	`+ }`
`66`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -48,4 +48,9 @@ public List<Test> good1(Integer id) {`
`48`	`48`	`List<Test> result = sqlInjectionMapper.good1(id);`
`49`	`49`	`return result;`
`50`	`50`	`}`
	`51`	`+`
	`52`	`+ public List<Test> good2(String name) {`
	`53`	`+ List<Test> result = sqlInjectionMapper.good2(name);`
	`54`	`+ return result;`
	`55`	`+ }`
`51`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -25,4 +25,6 @@ public interface SqlInjectionMapper {`
`25`	`25`	`void bad8(String[] params);`
`26`	`26`
`27`	`27`	`List<Test> good1(Integer id);`
	`28`	`+`
	`29`	`+ List<Test> good2(String name);`
`28`	`30`	`}`