-
Notifications
You must be signed in to change notification settings - Fork 0
/
CheckPoint2.ql
64 lines (52 loc) · 2.14 KB
/
CheckPoint2.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
import java
// First find all the methods
// from Method m
// select m
// Find all the methods named getAverageRating
// from Method m
// where m.hasName("getAverageRating")
// select m
// Find all the methods named getAverageRating and where the first parameters is name fromSql
// from Method m
// where m.hasName("getAverageRating") and m.getParameter(0).hasName("fromsql")
// select m
// Find all the methods named getAverageRatingFromQuery
// from Method m
// where m.hasName("getAverageRatingFromQuery")
// select m
// Find all the methods named getAverageRatingFromQuery with a definition
// from Method m
// where m.hasName("getAverageRatingFromQuery") and
// exists(m.getBody())
// select m
// Find all methods calls, named method accesses, named search
// from MethodAccess ma
// where ma.getMethod().hasName("search")
// select ma
// Find the fully qualified name of declaring type of the method search that is called in `getAverageRatingFromQuery`
// from MethodAccess ma, Method m
// where ma.getMethod() = m and
// m.hasName("search") and
// ma.getEnclosingCallable().hasName("getAverageRatingFromQuery")
// select ma, m.getQualifiedName()
// Find the search method call and its first argument.
// from Method searchMethod, MethodAccess searchMethodInvocation, Expr firstArg
// where searchMethod.hasQualifiedName("com.xpn.xwiki.store","XWikiStoreInterface","search") and
// searchMethod = searchMethodInvocation.getMethod() and
// searchMethodInvocation.getArgument(0) = firstArg
// select searchMethodInvocation, firstArg
// Import the SQL injection data flow configuration and extensions points.
import semmle.code.java.security.SqlInjectionQuery
class XWikiSearchSqlInjectionSink extends QueryInjectionSink {
XWikiSearchSqlInjectionSink() {
exists(Method searchMethod, MethodAccess searchMethodInvocation, Expr firstArg |
searchMethod.hasQualifiedName("com.xpn.xwiki.store", "XWikiStoreInterface", "search") and
searchMethod = searchMethodInvocation.getMethod() and
searchMethodInvocation.getArgument(0) = firstArg
|
firstArg = this.asExpr()
)
}
}
from QueryInjectionSink sink
select sink