-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSqlUnescaped.ql
More file actions
52 lines (45 loc) · 1.73 KB
/
SqlUnescaped.ql
File metadata and controls
52 lines (45 loc) · 1.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/**
* @name Query built without neutralizing special characters
* @description Building a SQL or Java Persistence query without escaping or otherwise neutralizing any special
* characters is vulnerable to insertion of malicious code.
* @kind problem
* @problem.severity error
* @precision high
* @id java/concatenated-sql-query
* @tags security
* external/cwe/cwe-089
*/
import java
import semmle.code.java.security.SqlUnescapedLib
import SqlInjectionLib
class UncontrolledStringBuilderSource extends DataFlow::ExprNode {
UncontrolledStringBuilderSource() {
exists(StringBuilderVar sbv |
uncontrolledStringBuilderQuery(sbv, _) and
this.getExpr() = sbv.getToStringCall()
)
}
}
class UncontrolledStringBuilderSourceFlowConfig extends TaintTracking::Configuration {
UncontrolledStringBuilderSourceFlowConfig() {
this = "SqlUnescaped::UncontrolledStringBuilderSourceFlowConfig"
}
override predicate isSource(DataFlow::Node src) { src instanceof UncontrolledStringBuilderSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or node.getType() instanceof BoxedType
}
}
from QueryInjectionSink query, Expr uncontrolled
where
(
builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
or
exists(StringBuilderVar sbv, UncontrolledStringBuilderSourceFlowConfig conf |
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
conf.hasFlow(DataFlow::exprNode(sbv.getToStringCall()), query)
)
) and
not queryTaintedBy(query, _, _)
select query, "Query might not neutralize special characters in $@.", uncontrolled,
"this expression"