Initial SQL injection for springframework

joernio · Apr 12, 2021 · e29736e · e29736e
1 parent 5362d06
commit e29736e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 1 deletion.
diff --git a/src/main/scala/io/joern/scanners/QueryTags.scala b/src/main/scala/io/joern/scanners/QueryTags.scala
@@ -12,5 +12,6 @@ object QueryTags {
 
   val integers = "integers"
   val strings = "strings"
-
+  val sqlInjection = "SQL injection"
+  val sqli = "SQLi"
 }
diff --git a/src/main/scala/io/joern/scanners/java/SQLInjection.scala b/src/main/scala/io/joern/scanners/java/SQLInjection.scala
@@ -0,0 +1,43 @@
+package io.joern.scanners.java;
+
+import io.joern.scanners._
+import io.shiftleft.semanticcpg.language._
+import io.shiftleft.console._
+import io.shiftleft.macros.QueryMacros._
+import io.shiftleft.dataflowengineoss.language._
+import io.shiftleft.dataflowengineoss.queryengine.EngineContext
+
+// The queries are tied to springframework
+object SQLInjection extends QueryBundle {
+
+  implicit val resolver: ICallResolver = NoResolve
+
+  @q
+  def sqlInjection()(implicit context: EngineContext): Query =
+    Query.make(
+      name = "SQL injection",
+      author = Crew.niko,
+      title =
+        "SQL injection: A parameter is used in an insecure database API call.",
+      description =
+        """
+        |An attacker controlled parameter is used in an insecure database API call.
+        |
+        |If the parameter is not validated and sanitized, this is a SQL injection.
+        |""".stripMargin,
+      score = 5,
+      withStrRep({ cpg =>
+        def source =
+          cpg.method
+            .where(_.methodReturn.evalType(
+              "org.springframework.web.servlet.ModelAndView"))
+            .parameter
+
+        def sinks = cpg.method.name("query").parameter.order(1)
+
+        // sinks where the first argument is reachable by a source
+        sinks.reachableBy(source).l
+      }),
+      tags = List(QueryTags.sqli, QueryTags.sqlInjection)
+    )
+}