Skip to content

Commit a48fa65

Browse files
atorralbaatorralba
committed
Java: Add SQLi sinks for Spring JDBC
1 parent 82e780d commit a48fa65

File tree

10 files changed

+199
-87
lines changed

10 files changed

+199
-87
lines changed

java/ql/lib/change-notes/2023-05-12-spring-jdbc-sql-sinks.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
---
2+
category: minorAnalysis
3+
---
4+
* Added SQL injection sinks for Spring JDBC's `NamedParameterJdbcOperations`.

java/ql/lib/ext/org.springframework.jdbc.core.namedparam.model.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/java-all
4+
extensible: sinkModel
5+
data:
6+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "batchUpdate", "", "", "Argument[0]", "sql", "manual"]
7+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "batchUpdate", "(String[])", "", "Argument[0]", "sql", "manual"]
8+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "execute", "", "", "Argument[0]", "sql", "manual"]
9+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "query", "", "", "Argument[0]", "sql", "manual"]
10+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForList", "", "", "Argument[0]", "sql", "manual"]
11+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForMap", "", "", "Argument[0]", "sql", "manual"]
12+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForObject", "", "", "Argument[0]", "sql", "manual"]
13+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForRowSet", "", "", "Argument[0]", "sql", "manual"]
14+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "queryForStream", "", "", "Argument[0]", "sql", "manual"]
15+
- ["org.springframework.jdbc.core.namedparam", "NamedParameterJdbcOperations", True, "update", "", "", "Argument[0]", "sql", "manual"]

java/ql/test/query-tests/security/CWE-089/semmle/examples/SpringJdbc.java

Lines changed: 38 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,13 @@
11
import java.sql.ResultSet;
22
import java.util.Map;
33
import org.springframework.jdbc.core.JdbcTemplate;
4+
import org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations;
5+
import org.springframework.jdbc.core.namedparam.SqlParameterSource;
6+
import org.springframework.jdbc.core.PreparedStatementCallback;
7+
import org.springframework.jdbc.core.ResultSetExtractor;
8+
import org.springframework.jdbc.core.RowCallbackHandler;
49
import org.springframework.jdbc.core.RowMapper;
10+
import org.springframework.jdbc.core.SqlParameter;
511
import org.springframework.jdbc.object.BatchSqlUpdate;
612
import org.springframework.jdbc.object.MappingSqlQueryWithParameters;
713
import org.springframework.jdbc.object.SqlFunction;
@@ -22,7 +28,7 @@ protected String updateRow(ResultSet rs, int rowNum, Map<?,?> context) {
2228
}
2329
}
2430

25-
public static void test(JdbcTemplate template) {
31+
public static void test(JdbcTemplate template, NamedParameterJdbcOperations namedParamTemplate) {
2632
new BatchSqlUpdate(null, source()); // $ sqlInjection
2733
new SqlFunction(null, source()); // $ sqlInjection
2834
new SqlUpdate(null, source()); // $ sqlInjection
@@ -39,6 +45,37 @@ public static void test(JdbcTemplate template) {
3945
template.queryForObject(source(), (Class)null); // $ sqlInjection
4046
template.queryForRowSet(source()); // $ sqlInjection
4147
template.queryForStream(source(), (RowMapper)null); // $ sqlInjection
48+
49+
namedParamTemplate.batchUpdate(source(), (Map<String, ?>[]) null); // $ sqlInjection
50+
namedParamTemplate.batchUpdate(source(), (SqlParameterSource[]) null); // $ sqlInjection
51+
namedParamTemplate.execute(source(), (PreparedStatementCallback) null); // $ sqlInjection
52+
namedParamTemplate.execute(source(), (Map<String, ?>) null, (PreparedStatementCallback) null); // $ sqlInjection
53+
namedParamTemplate.execute(source(), (SqlParameterSource) null, (PreparedStatementCallback) null); // $ sqlInjection
54+
namedParamTemplate.query(source(), (Map<String, ?>) null, (ResultSetExtractor) null); // $ sqlInjection
55+
namedParamTemplate.query(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
56+
namedParamTemplate.query(source(), (Map<String, ?>) null, (RowCallbackHandler) null); // $ sqlInjection
57+
namedParamTemplate.query(source(), (SqlParameterSource) null, (ResultSetExtractor) null); // $ sqlInjection
58+
namedParamTemplate.query(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
59+
namedParamTemplate.query(source(), (SqlParameterSource) null, (RowCallbackHandler) null); // $ sqlInjection
60+
namedParamTemplate.query(source(), (ResultSetExtractor) null); // $ sqlInjection
61+
namedParamTemplate.query(source(), (RowMapper) null); // $ sqlInjection
62+
namedParamTemplate.query(source(), (RowCallbackHandler) null); // $ sqlInjection
63+
namedParamTemplate.queryForList(source(), (Map<String, ?>) null); // $ sqlInjection
64+
namedParamTemplate.queryForList(source(), (Map<String, ?>) null, (Class) null); // $ sqlInjection
65+
namedParamTemplate.queryForMap(source(), (Map<String, ?>) null); // $ sqlInjection
66+
namedParamTemplate.queryForMap(source(), (SqlParameterSource) null); // $ sqlInjection
67+
namedParamTemplate.queryForObject(source(), (Map<String, ?>) null, (Class) null); // $ sqlInjection
68+
namedParamTemplate.queryForObject(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
69+
namedParamTemplate.queryForObject(source(), (SqlParameterSource) null, (Class) null); // $ sqlInjection
70+
namedParamTemplate.queryForObject(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
71+
namedParamTemplate.queryForRowSet(source(), (Map<String, ?>) null); // $ sqlInjection
72+
namedParamTemplate.queryForRowSet(source(), (SqlParameterSource) null); // $ sqlInjection
73+
namedParamTemplate.queryForStream(source(), (Map<String, ?>) null, (RowMapper) null); // $ sqlInjection
74+
namedParamTemplate.queryForStream(source(), (SqlParameterSource) null, (RowMapper) null); // $ sqlInjection
75+
namedParamTemplate.update(source(), (Map<String, ?>) null); // $ sqlInjection
76+
namedParamTemplate.update(source(), (SqlParameterSource) null); // $ sqlInjection
77+
namedParamTemplate.update(source(), null, null); // $ sqlInjection
78+
namedParamTemplate.update(source(), null, null, null); // $ sqlInjection
4279
}
4380

4481
}

java/ql/test/stubs/springframework-5.3.8/org/springframework/jdbc/core/JdbcOperations.java

Lines changed: 35 additions & 35 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)