diff --git a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll index 80ec142f214b..42768d024e80 100644 --- a/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll +++ b/java/ql/lib/semmle/code/java/security/CommandLineQuery.qll @@ -11,7 +11,10 @@ import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.ExternalProcess import semmle.code.java.security.CommandArguments -private class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { +/** + * A taint-tracking configuration for unvalidated user input that is used to run an external process. + */ +class RemoteUserInputToArgumentToExecFlowConfig extends TaintTracking::Configuration { RemoteUserInputToArgumentToExecFlowConfig() { this = "ExecCommon::RemoteUserInputToArgumentToExecFlowConfig" } diff --git a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll similarity index 71% rename from java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll rename to java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll index febee9bcef9c..33a80455db04 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll +++ b/java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll @@ -1,10 +1,19 @@ -/** Definitions used by the queries for database query injection. */ +/** + * Provides taint tracking and dataflow configurations to be used in Sql injection queries. + * + * Do not import this from a library file, in order to reduce the risk of + * unintentionally bringing a TaintTracking::Configuration into scope in an unrelated + * query. + */ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.security.QueryInjection -private class QueryInjectionFlowConfig extends TaintTracking::Configuration { +/** + * A taint-tracking configuration for unvalidated user input that is used in SQL queries. + */ +class QueryInjectionFlowConfig extends TaintTracking::Configuration { QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" } override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource } diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 28b09d37dbb1..50dfe9d725ae 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.dataflow.FlowSources -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery import DataFlow::PathGraph from QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink diff --git a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql index df5807f3f5f7..acd4f9d8df5e 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlTaintedLocal.ql @@ -14,7 +14,7 @@ import semmle.code.java.Expr import semmle.code.java.dataflow.FlowSources -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery import DataFlow::PathGraph class LocalUserInputToQueryInjectionFlowConfig extends TaintTracking::Configuration { diff --git a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql index e9e6cba37702..d73754e62029 100644 --- a/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql +++ b/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql @@ -14,7 +14,7 @@ import java import semmle.code.java.security.SqlUnescapedLib -import SqlInjectionLib +import semmle.code.java.security.SqlInjectionQuery class UncontrolledStringBuilderSource extends DataFlow::ExprNode { UncontrolledStringBuilderSource() {