@@ -76,7 +76,7 @@ string getAMybatisAnnotationSqlValue(IbatisSqlOperationAnnotation isoa) {
7676
7777/** Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression. */
7878bindingset [ unsafeExpression]
79- predicate isMybatisAnnotationCollectionTypeSqlInjection (
79+ predicate isMybatisCollectionTypeSqlInjection (
8080 DataFlow:: Node node , MethodAccess ma , string unsafeExpression
8181) {
8282 not unsafeExpression .regexpMatch ( "\\$\\{" + getAMybatisConfigurationVariableKey ( ) + "\\}" ) and
@@ -100,38 +100,6 @@ predicate isMybatisAnnotationCollectionTypeSqlInjection(
100100 )
101101}
102102
103- /** Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression. */
104- bindingset [ unsafeExpression]
105- predicate isMybatisXmlCollectionTypeSqlInjection (
106- DataFlow:: Node node , MethodAccess ma , string unsafeExpression , MyBatisMapperXMLElement mmxe
107- ) {
108- not unsafeExpression .regexpMatch ( "\\$\\{" + getAMybatisConfigurationVariableKey ( ) + "\\}" ) and
109- // The parameter type of the MyBatis method parameter is Map or List or Array.
110- // SQL injection vulnerability caused by improper use of this parameter.
111- // e.g.
112- //
113- // ```java
114- // Test test(Map map);
115- // <select id="test" resultMap="BaseResultMap">
116- // select id,name from test where name in
117- // <foreach collection="list" item="value" open="(" close=")" separator=",">
118- // ${value}
119- // </foreach>
120- // </select>
121- // ```
122- exists ( int i , MyBatisMapperForeach mbmf |
123- mbmf = mmxe and
124- not ma .getMethod ( ) .getParameter ( i ) .getAnAnnotation ( ) .getType ( ) instanceof TypeParam and
125- (
126- ma .getMethod ( ) .getParameterType ( i ) instanceof MapType or
127- ma .getMethod ( ) .getParameterType ( i ) instanceof ListType or
128- ma .getMethod ( ) .getParameterType ( i ) instanceof Array
129- ) and
130- unsafeExpression .matches ( "${%}" ) and
131- ma .getArgument ( i ) = node .asExpr ( )
132- )
133- }
134-
135103/** Holds if `node` is an argument to `ma` that is vulnerable to SQL injection attacks if `unsafeExpression` occurs in a MyBatis SQL expression. */
136104bindingset [ unsafeExpression]
137105predicate isMybatisXmlOrAnnotationSqlInjection (
0 commit comments