-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSqlConcatenated.ql
More file actions
32 lines (30 loc) · 1.08 KB
/
SqlConcatenated.ql
File metadata and controls
32 lines (30 loc) · 1.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/**
* @name Query built by concatenation with a possibly-untrusted string
* @description Building a SQL or Java Persistence query by concatenating a possibly-untrusted string
* is vulnerable to insertion of malicious code.
* @kind problem
* @problem.severity error
* @security-severity 8.8
* @precision medium
* @id java/concatenated-sql-query
* @tags security
* external/cwe/cwe-089
* external/cwe/cwe-564
*/
import java
import semmle.code.java.security.SqlConcatenatedLib
import semmle.code.java.security.SqlInjectionQuery
import semmle.code.java.security.SqlConcatenatedQuery
from QueryInjectionSink query, Expr uncontrolled
where
(
builtFromUncontrolledConcat(query.asExpr(), uncontrolled)
or
exists(StringBuilderVar sbv |
uncontrolledStringBuilderQuery(sbv, uncontrolled) and
UncontrolledStringBuilderSourceFlow::flow(DataFlow::exprNode(sbv.getToStringCall()), query)
)
) and
not queryIsTaintedBy(query, _, _)
select query, "Query built by concatenation with $@, which may be untrusted.", uncontrolled,
"this expression"