Java: add a class for methods that update a sql database (found using sql-injection nodes)

Jami Cogswell · Jami Cogswell · commit a2b19436aa8f · 2024-12-16T19:23:42.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll b/java/ql/lib/semmle/code/java/security/CsrfUnprotectedRequestTypeQuery.qll
@@ -4,6 +4,8 @@ import java
 private import semmle.code.java.frameworks.spring.SpringController
 private import semmle.code.java.frameworks.MyBatis
 private import semmle.code.java.frameworks.Jdbc
+private import semmle.code.java.dataflow.DataFlow
+private import semmle.code.java.dataflow.ExternalFlow
 
 /** A method that is not protected from CSRF by default. */
 abstract class CsrfUnprotectedMethod extends Method { }
@@ -54,3 +56,15 @@ private class PreparedStatementDatabaseUpdateMethod extends DatabaseUpdateMethod
     this instanceof PreparedStatementExecuteLargeUpdateMethod
   }
 }
+
+/** A method that updates a SQL database. */
+private class SqlDatabaseUpdateMethod extends DatabaseUpdateMethod {
+  SqlDatabaseUpdateMethod() {
+    // TODO: constrain to only insert/update/delete for `execute%` methods; need to track the sql expression into the execute call.
+    exists(DataFlow::Node n | this = n.asExpr().(Argument).getCall().getCallee() |
+      sinkNode(n, "sql-injection") and
+      this.getName()
+          .regexpMatch(".*(?i)(delete|insert|update|save|persist|merge|replicate|execute).*")
+    )
+  }
+}
