Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Java: Add binding between annotation and sink-param in MyBatis SQL Injection query #11368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atorralba merged 5 commits into from
Nov 24, 2022
Merged

Java: Add binding between annotation and sink-param in MyBatis SQL Injection query #11368

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ce2ba21
Add binding between annotation and sink-param
ka1n4t Nov 22, 2022
d113fb2
Add test case for PR-11368
ka1n4t Nov 23, 2022
443d0f5
Apply suggestions from code review
atorralba Nov 24, 2022
17218fa
Formatting
atorralba Nov 24, 2022
4bbc1dc
Update test expectations
atorralba Nov 24, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Add test case for PR-11368
  • Loading branch information
@ka1n4t
ka1n4t committed Nov 23, 2022
commit d113fb23c839723e96709db42b071b7f90c484e4
14 changes: 14 additions & 0 deletions ...experimental/query-tests/security/CWE-089/src/main/MyBatisAnnotationSqlInjection.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,16 +1,30 @@
edges
| MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjection.java:63:35:63:38 | name : String |
| MybatisSqlInjection.java:63:35:63:38 | name : String | MybatisSqlInjectionService.java:48:19:48:29 | name : String |
| MybatisSqlInjection.java:94:21:94:45 | name : String | MybatisSqlInjection.java:95:37:95:40 | name : String |
| MybatisSqlInjection.java:95:37:95:40 | name : String | MybatisSqlInjectionService.java:76:21:76:31 | name : String |
| MybatisSqlInjection.java:99:21:99:44 | age : String | MybatisSqlInjection.java:100:37:100:39 | age : String |
| MybatisSqlInjection.java:100:37:100:39 | age : String | MybatisSqlInjectionService.java:80:21:80:30 | age : String |
| MybatisSqlInjectionService.java:48:19:48:29 | name : String | MybatisSqlInjectionService.java:50:23:50:26 | name : String |
| MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap |
| MybatisSqlInjectionService.java:50:23:50:26 | name : String | MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String |
| MybatisSqlInjectionService.java:76:21:76:31 | name : String | MybatisSqlInjectionService.java:77:29:77:32 | name |
| MybatisSqlInjectionService.java:80:21:80:30 | age : String | MybatisSqlInjectionService.java:81:29:81:31 | age |
nodes
| MybatisSqlInjection.java:62:19:62:43 | name : String | semmle.label | name : String |
| MybatisSqlInjection.java:63:35:63:38 | name : String | semmle.label | name : String |
| MybatisSqlInjection.java:94:21:94:45 | name : String | semmle.label | name : String |
| MybatisSqlInjection.java:95:37:95:40 | name : String | semmle.label | name : String |
| MybatisSqlInjection.java:99:21:99:44 | age : String | semmle.label | age : String |
| MybatisSqlInjection.java:100:37:100:39 | age : String | semmle.label | age : String |
| MybatisSqlInjectionService.java:48:19:48:29 | name : String | semmle.label | name : String |
| MybatisSqlInjectionService.java:50:3:50:9 | hashMap [post update] [<map.value>] : String | semmle.label | hashMap [post update] [<map.value>] : String |
| MybatisSqlInjectionService.java:50:23:50:26 | name : String | semmle.label | name : String |
| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | semmle.label | hashMap |
| MybatisSqlInjectionService.java:76:21:76:31 | name : String | semmle.label | name : String |
| MybatisSqlInjectionService.java:77:29:77:32 | name | semmle.label | name |
| MybatisSqlInjectionService.java:80:21:80:30 | age : String | semmle.label | age : String |
| MybatisSqlInjectionService.java:81:29:81:31 | age | semmle.label | age |
subpaths
#select
| MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MybatisSqlInjection.java:62:19:62:43 | name : String | MybatisSqlInjectionService.java:51:27:51:33 | hashMap | MyBatis annotation SQL injection might include code from $@ to $@. | MybatisSqlInjection.java:62:19:62:43 | name | this user input | SqlInjectionMapper.java:33:2:33:54 | Select | this SQL operation |
12 changes: 11 additions & 1 deletion java/ql/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjection.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public String badSelect(@RequestParam String name) {
public void badDelete(@RequestParam String name) {
mybatisSqlInjectionService.badDelete(name);
}

@GetMapping(value = "badUpdate")
public void badUpdate(@RequestParam String name) {
mybatisSqlInjectionService.badUpdate(name);
Expand All @@ -89,4 +89,14 @@ public void badUpdate(@RequestParam String name) {
public void badInsert(@RequestParam String name) {
mybatisSqlInjectionService.badInsert(name);
}

@GetMapping(value = "kkbad1")
public void kkbad1(@RequestParam String name, @RequestParam Integer age) {
mybatisSqlInjectionService.kkbad1(name, age);
Comment thread
atorralba marked this conversation as resolved.
Outdated
}

@GetMapping(value = "kkbad2")
public void kkbad2(@RequestParam String age) {
mybatisSqlInjectionService.kkbad2(age);
Comment thread
atorralba marked this conversation as resolved.
Outdated
}
}
8 changes: 8 additions & 0 deletions ...l/test/experimental/query-tests/security/CWE-089/src/main/MybatisSqlInjectionService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,4 +72,12 @@ public void badUpdate(String input) {
public void badInsert(String input) {
sqlInjectionMapper.badInsert(input);
}

public void kkbad1(String name, Integer age){
sqlInjectionMapper.kkbad1(name, age);
Comment thread
atorralba marked this conversation as resolved.
Outdated
}

public void kkbad2(String age){
sqlInjectionMapper.kkbad2(age);
Comment thread
atorralba marked this conversation as resolved.
Outdated
}
}
23 changes: 15 additions & 8 deletions java/ql/test/experimental/query-tests/security/CWE-089/src/main/SqlInjectionMapper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,26 +37,33 @@ public interface SqlInjectionMapper {

//using providers
@SelectProvider(
type = MyBatisProvider.class,
method = "badSelect"
type = MyBatisProvider.class,
method = "badSelect"
)
String badSelect(String input);

@DeleteProvider(
type = MyBatisProvider.class,
method = "badDelete"
type = MyBatisProvider.class,
method = "badDelete"
)
void badDelete(String input);

@UpdateProvider(
type = MyBatisProvider.class,
method = "badUpdate"
type = MyBatisProvider.class,
method = "badUpdate"
)
void badUpdate(String input);

@InsertProvider(
type = MyBatisProvider.class,
method = "badInsert"
type = MyBatisProvider.class,
method = "badInsert"
)
void badInsert(String input);

@Select("select * from user_info where name = #{name} and age = ${age}")
String kkbad1(@Param("name") String name, Integer age);
Comment thread
atorralba marked this conversation as resolved.
Outdated

@Select("select * from user_info where age = #{age}")
String kkbad2(@Param("age") String age);
Comment thread
atorralba marked this conversation as resolved.
Outdated

}