Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Java: Add binding between annotation and sink-param in MyBatis SQL Injection query#11368

Merged
atorralba merged 5 commits intogithub:mainfrom
ka1n4t:main
Nov 24, 2022
Merged

Java: Add binding between annotation and sink-param in MyBatis SQL Injection query#11368
atorralba merged 5 commits intogithub:mainfrom
ka1n4t:main

Conversation

@ka1n4t
Copy link
Copy Markdown
Contributor

@ka1n4t ka1n4t commented Nov 22, 2022

Add binding between annotation and sink-param.

In below case, the rule MyBatisAnnotationSqlInjection.ql will find a vulnerability at parameter name in function testParamAnno1(). That is false positive.

@Select("select * from user_info where name = #{name} and age = ${age}")
String testParamAnno1(@Param("name") String name, Integer age);

@Select("select * from user_info where age = #{age}")
String testParamAnno2(@Param("age") String age);

The root cause is, isMybatisXmlOrAnnotationSqlInjection() find annotation @Param in testParamAnno2() and bind it to ${age} in @Select("select * from user_info where name = #{name} and age = ${age}") when processing parameter name in testParamAnno1(). So it raise a vulnerability to name when it saw ${age} binding with @Param("age").

@ka1n4t ka1n4t requested a review from a team as a code owner November 22, 2022 10:44
@github-actions github-actions Bot added the Java label Nov 22, 2022
@atorralba
Copy link
Copy Markdown
Contributor

atorralba commented Nov 22, 2022

This looks like an interesting addition, thanks for the contribution! Would you mind adding a test case highlighting the issue you're fixing?

@ka1n4t
Copy link
Copy Markdown
Contributor Author

ka1n4t commented Nov 23, 2022

This looks like an interesting addition, thanks for the contribution! Would you mind adding a test case highlighting the issue you're fixing?

Of course! I have committed the test case

atorralba
atorralba reviewed Nov 24, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@atorralba atorralba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding the test! I added some small suggestions to improve readability, but otherwise this LGTM.

Comment thread java/ql/src/experimental/Security/CWE/CWE-089/MyBatisCommonLib.qll Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java Outdated
Comment thread java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java Outdated
@ka1n4t
Copy link
Copy Markdown
Contributor Author

ka1n4t commented Nov 24, 2022

Thanks for adding the test! I added some small suggestions to improve readability, but otherwise this LGTM.

That looks great!

@atorralba atorralba changed the title Add binding between annotation and sink-param Java: Add binding between annotation and sink-param in MyBatis SQL Injection query Nov 24, 2022
atorralba
atorralba previously approved these changes Nov 24, 2022
View reviewed changes
@atorralba atorralba merged commit adf905d into github:main Nov 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@atorralba atorralba atorralba approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ka1n4t @atorralba