Attempt to add MyBatis' sinks and taint steps to SQL and OGNL injection queries

jorgectf · jorgectf · commit 447636bf1ce1 · 2022-03-09T04:21:26.000+01:00
diff --git a/java/ql/lib/semmle/code/java/security/OgnlInjection.qll b/java/ql/lib/semmle/code/java/security/OgnlInjection.qll
@@ -122,3 +122,13 @@ private class DefaultOgnlInjectionAdditionalTaintStep extends OgnlInjectionAddit
     setExpressionStep(node1, node2)
   }
 }
+
+private import semmle.code.java.frameworks.MyBatis::ProviderInjection
+
+private class MyBatisOgnlInjectionSink extends OgnlInjectionSink instanceof MyBatisInjectionSink { }
+
+private class MyBatisAbstractSQLOgnlInjectionStep extends OgnlInjectionAdditionalTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    any(MyBatisAbstractSQLStep step).step(node1, node2)
+  }
+}
diff --git a/java/ql/lib/semmle/code/java/security/QueryInjection.qll b/java/ql/lib/semmle/code/java/security/QueryInjection.qll
@@ -66,3 +66,13 @@ private class MongoJsonStep extends AdditionalQueryInjectionTaintStep {
     )
   }
 }
+
+private import semmle.code.java.frameworks.MyBatis::ProviderInjection
+
+private class MyBatisSqlInjectionSink extends QueryInjectionSink instanceof MyBatisInjectionSink { }
+
+private class MyBatisAbstractSQLInjectionStep extends AdditionalQueryInjectionTaintStep {
+  override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
+    any(MyBatisAbstractSQLStep step).step(node1, node2)
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -122,3 +122,13 @@ private class DefaultOgnlInjectionAdditionalTaintStep extends OgnlInjectionAddit`
`122`	`122`	`setExpressionStep(node1, node2)`
`123`	`123`	`}`
`124`	`124`	`}`
	`125`	`+`
	`126`	`+private import semmle.code.java.frameworks.MyBatis::ProviderInjection`
	`127`	`+`
	`128`	`+private class MyBatisOgnlInjectionSink extends OgnlInjectionSink instanceof MyBatisInjectionSink { }`
	`129`	`+`
	`130`	`+private class MyBatisAbstractSQLOgnlInjectionStep extends OgnlInjectionAdditionalTaintStep {`
	`131`	`+ override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
	`132`	`+ any(MyBatisAbstractSQLStep step).step(node1, node2)`
	`133`	`+ }`
	`134`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -66,3 +66,13 @@ private class MongoJsonStep extends AdditionalQueryInjectionTaintStep {`
`66`	`66`	`)`
`67`	`67`	`}`
`68`	`68`	`}`
	`69`	`+`
	`70`	`+private import semmle.code.java.frameworks.MyBatis::ProviderInjection`
	`71`	`+`
	`72`	`+private class MyBatisSqlInjectionSink extends QueryInjectionSink instanceof MyBatisInjectionSink { }`
	`73`	`+`
	`74`	`+private class MyBatisAbstractSQLInjectionStep extends AdditionalQueryInjectionTaintStep {`
	`75`	`+ override predicate step(DataFlow::Node node1, DataFlow::Node node2) {`
	`76`	`+ any(MyBatisAbstractSQLStep step).step(node1, node2)`
	`77`	`+ }`
	`78`	`+}`