Skip to content

Java: Add java.lang.Number as a sanitizer for SQL injection.#2725

Merged
yo-h merged 2 commits intogithub:masterfrom
aschackmull:java/sqlinjection-number-barrier
Jan 30, 2020
Merged

Java: Add java.lang.Number as a sanitizer for SQL injection.#2725
yo-h merged 2 commits intogithub:masterfrom
aschackmull:java/sqlinjection-number-barrier

Conversation

@aschackmull
Copy link
Contributor

@aschackmull aschackmull commented Jan 30, 2020

Fixes #2722

@aschackmull aschackmull requested a review from a team as a code owner January 30, 2020 11:03
@yo-h
Copy link
Contributor

yo-h commented Jan 30, 2020

The private TypeNumber defined in Random.qll conflicts with the new definition in JDK.qll (see test failures).

@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Jan 30, 2020

Just a "how does this thing work" question: is it an API breaking change to move types around? I'm guessing it probably is from an import perspective, but not in other ways? Maybe?

@yo-h
Copy link
Contributor

yo-h commented Jan 30, 2020

Just a "how does this thing work" question: is it an API breaking change to move types around? I'm guessing it probably is from an import perspective, but not in other ways? Maybe?

What happened here is that a type name was introduced into JDK.qll, which is imported by java.qll, which is imported by Random.qll, which already contained a type with the same name.

See the section on Name resolution for details on how name resolution works in QL, in particular the notion of "definite" environment.

@yo-h yo-h merged commit 7ca7bdf into github:master Jan 30, 2020
@aschackmull aschackmull deleted the java/sqlinjection-number-barrier branch January 31, 2020 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yo-h yo-h yo-h approved these changes

Assignees

No one assigned

Labels

Java

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

LGTM.com - false positive - SqlInjectionLib doesn't consider java.lang.Number a sanitization

3 participants

@aschackmull @yo-h @JLLeitschuh