Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9aa440e

Browse files
jorgectfjorgectf
committed
Refactor MyBatisAbstractSQLMethodsStep and MyBatisAbstractSQLMethod
See https://github.com/github/codeql/pull/8345\#discussion_r826734537
1 parent f10dac3 commit 9aa440e

1 file changed

Lines changed: 35 additions & 15 deletions

File tree

java/ql/lib/semmle/code/java/frameworks/MyBatis.qll

Lines changed: 35 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -116,15 +116,36 @@ private class MyBatisProvider extends RefType {
116116
}
117117
}
118118

119-
private class MyBatisAbstractSQLMethodNames extends string {
120-
MyBatisAbstractSQLMethodNames() {
121-
this in [
122-
"SELECT", "OFFSET_ROWS", "FETCH_FIRST_ROWS_ONLY", "OFFSET", "LIMIT", "ORDER_BY", "HAVING",
123-
"GROUP_BY", "WHERE", "OUTER_JOIN", "RIGHT_OUTER_JOIN", "LEFT_OUTER_JOIN", "INNER_JOIN",
124-
"JOIN", "FROM", "DELETE_FROM", "SELECT_DISTINCT", "SELECT", "INTO_VALUES", "INTO_COLUMNS",
125-
"VALUES", "INSERT_INTO", "SET", "UPDATE"
126-
]
119+
private class MyBatisAbstractSQLMethod extends Method {
120+
string taintedArgs;
121+
string signature;
122+
123+
MyBatisAbstractSQLMethod() {
124+
this.getDeclaringType().getSourceDeclaration() instanceof MyBatisAbstractSQL and
125+
(
126+
this.hasName([
127+
"UPDATE", "SET", "INSERT_INTO", "SELECT", "OFFSET_ROWS", "LIMIT", "OFFSET",
128+
"FETCH_FIRST_ROWS_ONLY", "DELETE_FROM", "INNER_JOIN", "ORDER_BY", "WHERE", "HAVING",
129+
"OUTER_JOIN", "LEFT_OUTER_JOIN", "RIGHT_OUTER_JOIN", "GROUP_BY", "FROM", "SELECT_DISTINCT"
130+
]) and
131+
taintedArgs = "Argument[0]" and
132+
signature = "String"
133+
or
134+
this.hasName([
135+
"SET", "INTO_COLUMNS", "INTO_VALUES", "SELECT_DISTINCT", "FROM", "JOIN", "INNER_JOIN",
136+
"LEFT_OUTER_JOIN", "RIGHT_OUTER_JOIN", "OUTER_JOIN", "WHERE", "GROUP_BY", "HAVING",
137+
"ORDER_BY"
138+
]) and
139+
taintedArgs = "Argument[0].ArrayElement" and
140+
signature = "String[]"
141+
or
142+
this.hasName("VALUES") and taintedArgs = "Argument[0..1]" and signature = "String,String"
143+
)
127144
}
145+
146+
string getTaintedArgs() { result = taintedArgs }
147+
148+
string getCsvSignature() { result = signature }
128149
}
129150

130151
/**
@@ -170,19 +191,18 @@ private class MyBatisAbstractSQLToStringStep extends SummaryModelCsv {
170191

171192
private class MyBatisAbstractSQLMethodsStep extends SummaryModelCsv {
172193
override predicate row(string row) {
173-
row =
174-
[
175-
"org.apache.ibatis.jdbc;AbstractSQL;true;" + any(MyBatisAbstractSQLMethodNames m) +
176-
";;;Argument[0..1];ReturnValue;taint"
177-
]
194+
exists(MyBatisAbstractSQLMethod m |
195+
row =
196+
"org.apache.ibatis.jdbc;AbstractSQL;true;" + m.getName() + ";(" + m.getCsvSignature() +
197+
");;" + m.getTaintedArgs() + ";ReturnValue;taint"
198+
)
178199
}
179200
}
180201

181202
private class MyBatisAbstractSQLAnonymousClassStep extends TaintTracking::AdditionalTaintStep {
182203
override predicate step(DataFlow::Node node1, DataFlow::Node node2) {
183204
exists(MethodAccess ma, ClassInstanceExpr c |
184-
ma.getMethod().getDeclaringType().getSourceDeclaration() instanceof MyBatisAbstractSQL and
185-
ma.getMethod().getName() instanceof MyBatisAbstractSQLMethodNames and
205+
ma.getMethod() instanceof MyBatisAbstractSQLMethod and
186206
c.getAnonymousClass().getACallable() = ma.getCaller() and
187207
node1.asExpr() = ma and
188208
node2.asExpr() = c

0 commit comments

Comments
 (0)