Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: Add mybatis mapper.xml sql tainted detection #6413

Closed
wants to merge 3 commits into from
Closed

Java: Add mybatis mapper.xml sql tainted detection #6413

wants to merge 3 commits into from

Conversation

Sharyie
Copy link

@Sharyie Sharyie commented Aug 4, 2021

Description:
I wrote ql to support sql injection dection in mybatis mapper.xml.

problem to resolve:

  1. mapper.xml sqlStatement could include other XMLElement,like this:
<sql id="BaseColumnList">
    id, username, age
</sql>
<sql id="Condition">
    where username = ${username}
</sql>

<select id="getUserByUsername" parameterType="java.lang.String" resultMap="BaseResultMap">
    select
    <include refid="BaseColumnList"></include>
    from userentity
    where username = ${username}
</select>

<select id="getUserByUsernameInclude" parameterType="java.lang.String" resultMap="BaseResultMap">
    select
    <include refid="BaseColumnList"></include>
    from userentity
    <include refid="Condition">
        <property name="username" value="'tom'"/>
    </include>
</select>

this ql committed didn't check sql query string in included element, I will fix it later.

  1. My sink is function in mapper class, so 2 codeflows will been found evey sql injection param. I have no idea and hope someone make it please.

@Sharyie Sharyie requested a review from a team as a code owner August 4, 2021 03:57
@github-actions github-actions bot added the Java label Aug 4, 2021
@smowton
Copy link
Contributor

smowton commented Aug 4, 2021

Are you intending to apply to the bounty program for this submission?

@Sharyie
Copy link
Author

Sharyie commented Aug 4, 2021

Are you intending to apply to the bounty program for this submission?

Yes, thanks for invitation.

@smowton
Copy link
Contributor

smowton commented Aug 4, 2021

OK, in that case review will start with the security lab once you've applied for the programme.

@smowton
Copy link
Contributor

smowton commented Aug 9, 2021

To do this you should follow the instructions at https://securitylab.github.com/bounties/ (section "All for one, one for all"). Note in particular the condition:

To be considered, your query must find at least one CVE that was not previously found by an existing query, in a released version (older releases are also permitted) of an open source project that is actually used (no demo, training, vulnerable on purpose).

@Sharyie
Copy link
Author

Sharyie commented Aug 13, 2021

To do this you should follow the instructions at https://securitylab.github.com/bounties/ (section "All for one, one for all"). Note in particular the condition:

To be considered, your query must find at least one CVE that was not previously found by an existing query, in a released version (older releases are also permitted) of an open source project that is actually used (no demo, training, vulnerable on purpose).

Thanks, I'm trying.

@greatyy
Copy link

greatyy commented Aug 27, 2021

Hello, how could I include my mapper.xml to database? when I run codeql database create -l java <database>, xml file will not be included in database folder

@greatyy
Copy link

greatyy commented Aug 27, 2021

Hello, how could I include my mapper.xml to database? when I run codeql database create -l java <database>, xml file will not be included in database folder

problem solved here. #3887

@Sharyie Sharyie closed this Aug 20, 2022
@Sharyie Sharyie mentioned this pull request Aug 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Sharyie @smowton @greatyy