New model: SQL injection in MyBatis annotations

Author: haby0

java/ql/lib/semmle/code/java/frameworks/MyBatis.qll

@@ -40,3 +40,119 @@ class IbatisConfigurationGetVariablesMethod extends Method {
     getNumberOfParameters() = 0
   }
 }
+
+/**
+ * An annotation type that identifies Ibatis select.
+ */
+private class IbatisSelectAnnotationType extends AnnotationType {
+  IbatisSelectAnnotationType() {
+    this.hasQualifiedName("org.apache.ibatis.annotations", "Select") or
+    this.getAnAnnotation().getType() instanceof IbatisSelectAnnotationType
+  }
+}
+
+/**
+ * An annotation type that identifies Ibatis delete.
+ */
+private class IbatisDeleteAnnotationType extends AnnotationType {
+  IbatisDeleteAnnotationType() {
+    this.hasQualifiedName("org.apache.ibatis.annotations", "Delete") or
+    this.getAnAnnotation().getType() instanceof IbatisDeleteAnnotationType
+  }
+}
+
+/**
+ * An annotation type that identifies Ibatis insert.
+ */
+private class IbatisInsertAnnotationType extends AnnotationType {
+  IbatisInsertAnnotationType() {
+    this.hasQualifiedName("org.apache.ibatis.annotations", "Insert") or
+    this.getAnAnnotation().getType() instanceof IbatisInsertAnnotationType
+  }
+}
+
+/**
+ * An annotation type that identifies Ibatis update.
+ */
+private class IbatisUpdateAnnotationType extends AnnotationType {
+  IbatisUpdateAnnotationType() {
+    this.hasQualifiedName("org.apache.ibatis.annotations", "Update") or
+    this.getAnAnnotation().getType() instanceof IbatisUpdateAnnotationType
+  }
+}
+
+/**
+ * Ibatis sql operation annotation.
+ */
+abstract class IbatisSqlOperationAnnotation extends Annotation {
+  abstract string getSqlValue();
+}
+
+/**
+ * A `@org.apache.ibatis.annotations.Select` annotation.
+ */
+private class IbatisSelectAnnotation extends IbatisSqlOperationAnnotation {
+  IbatisSelectAnnotation() { this.getType() instanceof IbatisSelectAnnotationType }
+
+  string getSelectValue() {
+    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
+    result =
+      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+  }
+
+  override string getSqlValue() { result = getSelectValue() }
+}
+
+/**
+ * A `@org.apache.ibatis.annotations.Delete` annotation.
+ */
+private class IbatisDeleteAnnotation extends IbatisSqlOperationAnnotation {
+  IbatisDeleteAnnotation() { this.getType() instanceof IbatisDeleteAnnotationType }
+
+  string getDeleteValue() {
+    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
+    result =
+      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+  }
+
+  override string getSqlValue() { result = getDeleteValue() }
+}
+
+/**
+ * A `@org.apache.ibatis.annotations.Insert` annotation.
+ */
+private class IbatisInsertAnnotation extends IbatisSqlOperationAnnotation {
+  IbatisInsertAnnotation() { this.getType() instanceof IbatisInsertAnnotationType }
+
+  string getInsertValue() {
+    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
+    result =
+      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+  }
+
+  override string getSqlValue() { result = getInsertValue() }
+}
+
+/**
+ * A `@org.apache.ibatis.annotations.Update` annotation.
+ */
+private class IbatisUpdateAnnotation extends IbatisSqlOperationAnnotation {
+  IbatisUpdateAnnotation() { this.getType() instanceof IbatisUpdateAnnotationType }
+
+  string getUpdateValue() {
+    result = this.getValue("value").(CompileTimeConstantExpr).getStringValue() or
+    result =
+      this.getValue("value").(ArrayInit).getInit(_).(CompileTimeConstantExpr).getStringValue()
+  }
+
+  override string getSqlValue() { result = getUpdateValue() }
+}
+
+// Mybatis uses sql operation to annotate the method of interacting with the database.
+class MybatisSqlOperationAnnotationMethod extends Method {
+  MybatisSqlOperationAnnotationMethod() {
+    exists(IbatisSqlOperationAnnotation isoa |
+      this.getAnAnnotation() = isoa  
+    )
+  }
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.java

@@ -0,0 +1,10 @@
+import org.apache.ibatis.annotations.Select;
+
+public interface MyBatisAnnotationSqlInjection {
+
+    @Select("select * from test where name = ${name}")
+	public Test bad1(String name);
+
+    @Select("select * from test where name = #{name}")
+	public Test good1(String name);
+}

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.qhelp

@@ -0,0 +1,34 @@
+<!DOCTYPE qhelp PUBLIC
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>MyBatis operates the database by using @Select, @Insert, etc. annotations in the method, and can use the $ character 
+to construct dynamic SQL statements. Attackers can modify the meaning of statements or execute arbitrary SQL commands.</p>
+</overview>
+
+<<recommendation>
+<p>
+When writing MyBatis mapping statements, try to use the format "#{xxx}". If you have to use parameters 
+such as "${xxx}", you must manually filter to prevent SQL injection attacks.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following examples show the bad situation and the good situation respectively. The <code>bad1</code> method uses <code>$(name)</code> 
+in the <code>@Select</code> annotation to dynamically splice SQL statements, and there is a SQL injection vulnerability. 
+The good1 method uses the <code>#{name}</code> method in the <code>@Select</code> annotation to splice SQL statements, 
+and the MyBatis framework will handle the dangerous characters entered by the user, And did not cause SQL injection vulnerabilities.
+</p>
+<sample src="MyBatisAnnotationSqlInjection.java" />
+</example>
+
+<references>
+<li>
+Fortify:
+<a href="https://vulncat.fortify.com/en/detail?id=desc.config.java.sql_injection_mybatis_mapper">SQL Injection: MyBatis Mapper</a>.
+</li>
+</references>
+</qhelp>

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql

@@ -0,0 +1,64 @@
+/**
+ * @name MyBatis annotation sql injection
+ * @description Constructing a dynamic SQL statement with input that comes from an
+ *              untrusted source could allow an attacker to modify the statement's
+ *              meaning or to execute arbitrary SQL commands.
+ * @kind path-problem
+ * @problem.severity error
+ * @precision high
+ * @id java/sql-injection
+ * @tags security
+ *       external/cwe/cwe-089
+ */
+
+import java
+import DataFlow::PathGraph
+import MyBatisAnnotationSqlInjectionLib
+import semmle.code.java.security.SanitizerGuard
+import semmle.code.java.dataflow.FlowSources
+
+private class MyBatisAnnotationSqlInjectionConfiguration extends TaintTracking::Configuration {
+  MyBatisAnnotationSqlInjectionConfiguration() { this = "MyBatis annotation sql injection" }
+
+  override predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof MyBatisAnnotationMethodCallAnArgument
+  }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
+  }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    guard instanceof ContainsSanitizer or guard instanceof EqualsSanitizer
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof MapType and
+      ma.getMethod().getName() = "get" and
+      ma.getQualifier() = node1.asExpr() and
+      ma = node2.asExpr()
+    )
+    or
+    exists(MethodAccess ma |
+      ma.getMethod().getDeclaringType() instanceof TypeObject and
+      ma.getMethod().getName() = "toString" and
+      ma.getQualifier() = node1.asExpr() and
+      ma = node2.asExpr()
+    )
+  }
+}
+
+from
+  MyBatisAnnotationSqlInjectionConfiguration cfg, DataFlow::PathNode source,
+  DataFlow::PathNode sink, IbatisSqlOperationAnnotation isoa
+where
+  cfg.hasFlowPath(source, sink) and
+  isMybatisAnnotationSqlInjection(sink.getNode(), isoa)
+select sink.getNode(), source, sink,
+  "MyBatis annotation sql injection might include code from $@ to $@.", source.getNode(),
+  "this user input", isoa, "this sql operation"

java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjectionLib.qll

@@ -0,0 +1,126 @@
+import java
+import MyBatisCommonLib
+import semmle.code.xml.MyBatisMapperXML
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.frameworks.Properties
+
+/** A sink for MyBatis annotation method call an argument. */
+class MyBatisAnnotationMethodCallAnArgument extends DataFlow::Node {
+  MyBatisAnnotationMethodCallAnArgument() {
+    exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma | ma.getMethod() = msoam |
+      ma.getAnArgument() = this.asExpr()
+    )
+  }
+}
+
+/** Get the #{...} or ${...} parameters in the Mybatis annotation value. */
+private string getAnMybatiAnnotationSetValue(IbatisSqlOperationAnnotation isoa) {
+  result = isoa.getSqlValue().trim().regexpFind("(#|\\$)(\\{([^\\}]*\\}))", _, _)
+}
+
+predicate isMybatisAnnotationSqlInjection(DataFlow::Node node, IbatisSqlOperationAnnotation isoa) {
+  // MyBatis uses an annotation method to perform SQL operations. This method has only one parameter and
+  // the parameter is not annotated with `@Param`. Improper use of this parameter has a SQL injection vulnerability.
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test where name like '%${value}%')
+  //    Test test(String name);
+  // ```
+  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, string res |
+    msoam = ma.getMethod()
+  |
+    msoam.getAnAnnotation() = isoa and
+    res = getAnMybatiAnnotationSetValue(isoa) and
+    msoam.getNumberOfParameters() = 1 and
+    not ma.getMethod().getAParameter().hasAnnotation() and
+    res.matches("%${%}") and
+    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    ma.getAnArgument() = node.asExpr()
+  )
+  or
+  // MyBatis uses an annotation method to perform SQL operations. The parameter type of the method parameter
+  // is Map or List or Array. SQL injection vulnerability caused by improper use of this parameter.
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test where name like '%${value}%')
+  //    Test test(Map map);
+  // ```
+  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
+    msoam = ma.getMethod()
+  |
+    msoam.getAnAnnotation() = isoa and
+    not ma.getMethod().getParameter(i).hasAnnotation() and
+    (
+      ma.getMethod().getParameterType(i) instanceof MapType or
+      ma.getMethod().getParameterType(i) instanceof ListType or
+      ma.getMethod().getParameterType(i) instanceof Array
+    ) and
+    res = getAnMybatiAnnotationSetValue(isoa) and
+    res.matches("%${%}") and
+    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    ma.getArgument(i) = node.asExpr()
+  )
+  or
+  // MyBatis uses annotation methods to perform SQL operations, and SQL injection vulnerabilities caused by
+  // improper use of instance class fields.
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test order by ${name,jdbcType=VARCHAR})
+  //    void test(Test test);
+  // ```
+  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, Class c |
+    msoam = ma.getMethod()
+  |
+    msoam.getAnAnnotation() = isoa and
+    not ma.getMethod().getParameter(i).hasAnnotation() and
+    ma.getMethod().getParameterType(i).getName() = c.getName() and
+    getAnMybatiAnnotationSetValue(isoa).matches("%${" + c.getAField().getName() + "%}") and
+    ma.getArgument(i) = node.asExpr()
+  )
+  or
+  // MyBatis uses annotations to perform SQL operations. The method parameters use `@Param` annotation.
+  // Due to improper use of this parameter, SQL injection vulnerabilities are caused.
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test order by ${orderby,jdbcType=VARCHAR})
+  //    void test(@Param("orderby") String name);
+  // ```
+  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, Annotation annotation |
+    msoam = ma.getMethod()
+  |
+    msoam.getAnAnnotation() = isoa and
+    ma.getMethod().getParameter(i).hasAnnotation() and
+    ma.getMethod().getParameter(i).getAnAnnotation() = annotation and
+    annotation.getType() instanceof TypeParam and
+    getAnMybatiAnnotationSetValue(isoa)
+        .matches("%${" + annotation.getValue("value").(CompileTimeConstantExpr).getStringValue() +
+            "%}") and
+    ma.getArgument(i) = node.asExpr()
+  )
+  or
+  // MyBatis Mapper method default parameter sql injection vulnerabilities.the default parameter form of the method is arg[0...n] or param[1...n].
+  // e.g.
+  //
+  // ```java
+  //    @Select(select id,name from test order by ${arg0,jdbcType=VARCHAR})
+  //    void test(String name);
+  // ```
+  exists(MybatisSqlOperationAnnotationMethod msoam, MethodAccess ma, int i, string res |
+    msoam = ma.getMethod()
+  |
+    msoam.getAnAnnotation() = isoa and
+    not ma.getMethod().getParameter(i).hasAnnotation() and
+    res = getAnMybatiAnnotationSetValue(isoa) and
+    (
+      res.matches("%${param" + (i + 1) + "%}")
+      or
+      res.matches("%${arg" + i + "%}")
+    ) and
+    not res.matches("${" + getAnMybatisConfigurationVariableKey() + "}") and
+    ma.getArgument(i) = node.asExpr()
+  )
+}