Java: more database update tests and stubs

Author: Jami Cogswell

java/ql/test/query-tests/security/CWE-352/CsrfUnprotectedRequestTypeTest.java

@@ -22,6 +22,10 @@
 import org.kohsuke.stapler.QueryParameter;
 import org.kohsuke.stapler.HttpRedirect;
 import org.kohsuke.stapler.HttpResponses;
+import org.apache.ibatis.jdbc.SqlRunner;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate;
+import java.util.Map;
 
 @Controller
 public class CsrfUnprotectedRequestTypeTest {
@@ -142,29 +146,46 @@ public void bad6() { // $ hasCsrfUnprotectedRequestType
         } catch (SQLException e) { }
     }
 
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `Statement.executeUpdate`
     @RequestMapping("/")
     public void badStatementExecuteUpdate() { // $ hasCsrfUnprotectedRequestType
         try {
             String item = "item";
             String price = "price";
             Statement statement = connection.createStatement();
-            String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
-            int count = statement.executeUpdate(query);
+            String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            int count = statement.executeUpdate(sql);
         } catch (SQLException e) { }
     }
 
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `Statement.executeLargeUpdate`
+    @RequestMapping("/")
+    public void badStatementExecuteLargeUpdate() { // $ hasCsrfUnprotectedRequestType
+        try {
+            String item = "item";
+            String price = "price";
+            Statement statement = connection.createStatement();
+            String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            long count = statement.executeLargeUpdate(sql);
+        } catch (SQLException e) { }
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `Statement.execute` with SQL UPDATE
     @RequestMapping("/")
     public void badStatementExecute() { // $ hasCsrfUnprotectedRequestType
         try {
             String item = "item";
             String price = "price";
             Statement statement = connection.createStatement();
-            String query = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
-            boolean bool = statement.execute(query);
+            String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            boolean bool = statement.execute(sql);
         } catch (SQLException e) { }
     }
 
-    // GOOD: select not insert/update/delete
+    // GOOD: does not update a database, queries with SELECT
     @RequestMapping("/")
     public void goodStatementExecute() {
         try {
@@ -176,6 +197,92 @@ public void goodStatementExecute() {
         } catch (SQLException e) { }
     }
 
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `SqlRunner.insert`
+    @RequestMapping("/")
+    public void badSqlRunnerInsert() { // $ hasCsrfUnprotectedRequestType
+        try {
+            String item = "item";
+            String price = "price";
+            String sql = "INSERT PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            SqlRunner sqlRunner = new SqlRunner(connection);
+            sqlRunner.insert(sql);
+        } catch (SQLException e) { }
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `SqlRunner.update`
+    @RequestMapping("/")
+    public void badSqlRunnerUpdate() { // $ hasCsrfUnprotectedRequestType
+        try {
+            String item = "item";
+            String price = "price";
+            String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            SqlRunner sqlRunner = new SqlRunner(connection);
+            sqlRunner.update(sql);
+        } catch (SQLException e) { }
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `SqlRunner.delete`
+    @RequestMapping("/")
+    public void badSqlRunnerDelete() { // $ hasCsrfUnprotectedRequestType
+        try {
+            String item = "item";
+            String price = "price";
+            String sql = "DELETE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+            SqlRunner sqlRunner = new SqlRunner(connection);
+            sqlRunner.delete(sql);
+        } catch (SQLException e) { }
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `NamedParameterJdbcTemplate.update`
+    @RequestMapping("/")
+    public void badNamedParameterJdbcTemplateUpdate() { // $ hasCsrfUnprotectedRequestType
+        String item = "item";
+        String price = "price";
+        String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+        JdbcTemplate jdbcTemplate = new JdbcTemplate();
+        NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+        nameParamjdbcTemplate.update(sql, null, null);
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `NamedParameterJdbcTemplate.batchUpdate`
+    @RequestMapping("/")
+    public void badNamedParameterJdbcTemplateBatchUpdate() { // $ hasCsrfUnprotectedRequestType
+        String item = "item";
+        String price = "price";
+        String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+        JdbcTemplate jdbcTemplate = new JdbcTemplate();
+        NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+        nameParamjdbcTemplate.batchUpdate(sql, (Map<String,?>[]) null);
+    }
+
+    // BAD: allows request type not default-protected from CSRF when
+    // updating a database using `NamedParameterJdbcTemplate.execute`
+    @RequestMapping("/")
+    public void badNamedParameterJdbcTemplateExecute() { // $ hasCsrfUnprotectedRequestType
+        String item = "item";
+        String price = "price";
+        String sql = "UPDATE PRODUCT SET PRICE='" + price + "' WHERE ITEM='" + item + "'";
+        JdbcTemplate jdbcTemplate = new JdbcTemplate();
+        NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+        nameParamjdbcTemplate.execute(sql, null);
+    }
+
+    // GOOD: does not update a database, queries with SELECT
+    @RequestMapping("/")
+    public void goodNamedParameterJdbcTemplateExecute() {
+        String category = "category";
+        String query = "SELECT ITEM,PRICE FROM PRODUCT WHERE ITEM_CATEGORY='"
+                + category + "' ORDER BY PRICE";
+        JdbcTemplate jdbcTemplate = new JdbcTemplate();
+        NamedParameterJdbcTemplate nameParamjdbcTemplate = new NamedParameterJdbcTemplate(jdbcTemplate);
+        nameParamjdbcTemplate.execute(query, null);
+    }
+
     @Autowired
 	private MyBatisService myBatisService;
 

java/ql/test/query-tests/security/CWE-352/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8/:${testdir}/../../../stubs/org.mybatis-3.5.4/:${testdir}/../../../stubs/stapler-1.263/:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/jaxen-1.2.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/springframework-5.3.8/:${testdir}/../../../stubs/org.mybatis-3.5.4/:${testdir}/../../../stubs/stapler-1.263/:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/apache-commons-logging-1.2/