search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.69k stars 1.54k forks source link

Does codeql support mybatis XML sqlinjection? #6229General issue #6230

Closed Sharyie closed 3 years ago

Sharyie commented 3 years ago

hello,I want to detect sqlinjection in springboot project using mybatis xml mapper,like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mapper PUBLIC "-//mybatis.org//DTD Mapper 3.0//EN" "http://mybatis.org/dtd/mybatis-3-mapper.dtd">
<mapper namespace="com.test.mapper.testMapper">
  <resultMap id="BaseResultMap" type="com.test.po.TestPO">
    <id column="id" jdbcType="BIGINT" property="id" />
    <result column="detail" jdbcType="VARCHAR" property="detail" />
  </resultMap>
  <sql id="Base_Column_List">
    id, detail
  </sql>
<select id="testSelect" resultMap="BaseResultMap">
    select
    <include refid="Base_Column_List"/>
    from info
    where 1
    AND detail = ${detail,jdbcType=VARCHAR}
  </select>

Evidently,there is a sqlinjection vuln,codeql problely doesn't support queryinjection detection like this vuln or I used codeql with worry method.Does codeql plans to support this vuln detection?

smowton commented 3 years ago

We do not currently support searching for injection vulnerabilities present in XML documents like this. We do support vulnerabilities relating to use of the SqlRunner class.