Add models for org.springframework.jdbc.object

Also add tests for the existing Spring JDBC SQL injection sinks in the process

Author: smowton

java/ql/src/semmle/code/java/frameworks/SpringJdbc.qll

@@ -24,7 +24,16 @@ private class SqlSinkCsv extends SinkModelCsv {
         "org.springframework.jdbc.core;JdbcTemplate;false;queryForMap;;;Argument[0];sql",
         "org.springframework.jdbc.core;JdbcTemplate;false;queryForObject;;;Argument[0];sql",
         "org.springframework.jdbc.core;JdbcTemplate;false;queryForRowSet;;;Argument[0];sql",
-        "org.springframework.jdbc.core;JdbcTemplate;false;queryForStream;;;Argument[0];sql"
+        "org.springframework.jdbc.core;JdbcTemplate;false;queryForStream;;;Argument[0];sql",
+        "org.springframework.jdbc.object;BatchSqlUpdate;false;BatchSqlUpdate;;;Argument[1];sql",
+        "org.springframework.jdbc.object;MappingSqlQuery;false;BatchSqlUpdate;;;Argument[1];sql",
+        "org.springframework.jdbc.object;MappingSqlQueryWithParameters;false;BatchSqlUpdate;;;Argument[1];sql",
+        "org.springframework.jdbc.object;RdbmsOperation;true;setSql;;;Argument[0];sql",
+        "org.springframework.jdbc.object;SqlCall;false;SqlCall;;;Argument[1];sql",
+        "org.springframework.jdbc.object;SqlFunction;false;SqlFunction;;;Argument[1];sql",
+        "org.springframework.jdbc.object;SqlQuery;false;SqlQuery;;;Argument[1];sql",
+        "org.springframework.jdbc.object;SqlUpdate;false;SqlUpdate;;;Argument[1];sql",
+        "org.springframework.jdbc.object;UpdatableSqlQuery;false;UpdatableSqlQuery;;;Argument[1];sql"
       ]
   }
 }

java/ql/test/query-tests/security/CWE-089/semmle/examples/SpringJdbc.java

@@ -0,0 +1,44 @@
+import java.sql.ResultSet;
+import java.util.Map;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.RowMapper;
+import org.springframework.jdbc.object.BatchSqlUpdate;
+import org.springframework.jdbc.object.MappingSqlQueryWithParameters;
+import org.springframework.jdbc.object.SqlFunction;
+import org.springframework.jdbc.object.SqlUpdate;
+import org.springframework.jdbc.object.UpdatableSqlQuery;
+
+public class SpringJdbc {
+
+  public static String source() { return null; }
+
+  private static class MyUpdatableSqlQuery extends UpdatableSqlQuery<String> {
+    public MyUpdatableSqlQuery() {
+      super(null, source()); // $ sqlInjection
+    }
+
+    protected String updateRow(ResultSet rs, int rowNum, Map<?,?> context) {
+      return null;
+    }
+  }
+
+  public static void test(JdbcTemplate template) {
+    new BatchSqlUpdate(null, source()); // $ sqlInjection
+    new SqlFunction(null, source()); // $ sqlInjection
+    new SqlUpdate(null, source()); // $ sqlInjection
+
+    (new BatchSqlUpdate()).setSql(source()); // $ sqlInjection
+
+    template.batchUpdate(source()); // $ sqlInjection
+    template.batchUpdate(source(), null, 0, null); // $ sqlInjection
+    template.execute(source()); // $ sqlInjection
+    template.update(source()); // $ sqlInjection
+    template.query(source(), (RowMapper)null); // $ sqlInjection
+    template.queryForList(source()); // $ sqlInjection
+    template.queryForMap(source()); // $ sqlInjection
+    template.queryForObject(source(), (Class)null); // $ sqlInjection
+    template.queryForRowSet(source()); // $ sqlInjection
+    template.queryForStream(source(), (RowMapper)null); // $ sqlInjection
+  }
+
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/springframework-5.3.8

java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.expected

@@ -0,0 +1,41 @@
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.security.QueryInjection
+import TestUtilities.InlineExpectationsTest
+
+private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
+  QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    src.asExpr() = any(MethodAccess ma | ma.getMethod().hasName("source"))
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.getType() instanceof PrimitiveType or
+    node.getType() instanceof BoxedType or
+    node.getType() instanceof NumberType
+  }
+
+  override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    any(AdditionalQueryInjectionTaintStep s).step(node1, node2)
+  }
+}
+
+class HasFlowTest extends InlineExpectationsTest {
+  HasFlowTest() { this = "HasFlowTest" }
+
+  override string getARelevantTag() { result = "sqlInjection" }
+
+  override predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "sqlInjection" and
+    exists(DataFlow::Node src, DataFlow::Node sink, QueryInjectionFlowConfig conf |
+      conf.hasFlow(src, sink)
+    |
+      sink.getLocation() = location and
+      element = sink.toString() and
+      value = ""
+    )
+  }
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/springjdbc.ql

@@ -0,0 +1,15 @@
+// Generated automatically from org.springframework.core.NestedRuntimeException for testing purposes
+
+package org.springframework.core;
+
+
+abstract public class NestedRuntimeException extends RuntimeException
+{
+    protected NestedRuntimeException() {}
+    public NestedRuntimeException(String p0){}
+    public NestedRuntimeException(String p0, Throwable p1){}
+    public String getMessage(){ return null; }
+    public Throwable getMostSpecificCause(){ return null; }
+    public Throwable getRootCause(){ return null; }
+    public boolean contains(Class<? extends Object> p0){ return false; }
+}

java/ql/test/stubs/springframework-5.3.8/org/springframework/core/NestedRuntimeException.java

@@ -0,0 +1,12 @@
+// Generated automatically from org.springframework.dao.DataAccessException for testing purposes
+
+package org.springframework.dao;
+
+import org.springframework.core.NestedRuntimeException;
+
+abstract public class DataAccessException extends NestedRuntimeException
+{
+    protected DataAccessException() {}
+    public DataAccessException(String p0){}
+    public DataAccessException(String p0, Throwable p1){}
+}

java/ql/test/stubs/springframework-5.3.8/org/springframework/dao/DataAccessException.java

@@ -0,0 +1,11 @@
+// Generated automatically from org.springframework.jdbc.core.BatchPreparedStatementSetter for testing purposes
+
+package org.springframework.jdbc.core;
+
+import java.sql.PreparedStatement;
+
+public interface BatchPreparedStatementSetter
+{
+    int getBatchSize();
+    void setValues(PreparedStatement p0, int p1);
+}

java/ql/test/stubs/springframework-5.3.8/org/springframework/jdbc/core/BatchPreparedStatementSetter.java

@@ -0,0 +1,10 @@
+// Generated automatically from org.springframework.jdbc.core.CallableStatementCallback for testing purposes
+
+package org.springframework.jdbc.core;
+
+import java.sql.CallableStatement;
+
+public interface CallableStatementCallback<T>
+{
+    T doInCallableStatement(CallableStatement p0);
+}

java/ql/test/stubs/springframework-5.3.8/org/springframework/jdbc/core/CallableStatementCallback.java

@@ -0,0 +1,11 @@
+// Generated automatically from org.springframework.jdbc.core.CallableStatementCreator for testing purposes
+
+package org.springframework.jdbc.core;
+
+import java.sql.CallableStatement;
+import java.sql.Connection;
+
+public interface CallableStatementCreator
+{
+    CallableStatement createCallableStatement(Connection p0);
+}