Skip to content

Java: Add java.lang.Number as a sanitizer for SQL injection.#2725

Merged
yo-h merged 2 commits intogithub:masterfrom
aschackmull:java/sqlinjection-number-barrier
Jan 30, 2020
Merged

Java: Add java.lang.Number as a sanitizer for SQL injection.#2725
yo-h merged 2 commits intogithub:masterfrom
aschackmull:java/sqlinjection-number-barrier

Conversation

@aschackmull
Copy link
Contributor

Fixes #2722

@aschackmull aschackmull requested a review from a team as a code owner January 30, 2020 11:03
@yo-h
Copy link
Contributor

yo-h commented Jan 30, 2020

The private TypeNumber defined in Random.qll conflicts with the new definition in JDK.qll (see test failures).

@JLLeitschuh
Copy link
Contributor

Just a "how does this thing work" question: is it an API breaking change to move types around? I'm guessing it probably is from an import perspective, but not in other ways? Maybe?

@yo-h
Copy link
Contributor

yo-h commented Jan 30, 2020

Just a "how does this thing work" question: is it an API breaking change to move types around? I'm guessing it probably is from an import perspective, but not in other ways? Maybe?

What happened here is that a type name was introduced into JDK.qll, which is imported by java.qll, which is imported by Random.qll, which already contained a type with the same name.

See the section on Name resolution for details on how name resolution works in QL, in particular the notion of "definite" environment.

@yo-h yo-h merged commit 7ca7bdf into github:master Jan 30, 2020
@aschackmull aschackmull deleted the java/sqlinjection-number-barrier branch January 31, 2020 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

LGTM.com - false positive - SqlInjectionLib doesn't consider java.lang.Number a sanitization

3 participants