forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathJdbc.qll
More file actions
115 lines (101 loc) · 3.46 KB
/
Jdbc.qll
File metadata and controls
115 lines (101 loc) · 3.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/**
* Provides classes and predicates for working with the Java JDBC API.
*/
import semmle.code.java.Type
/*--- Types ---*/
/** The interface `java.sql.Connection`. */
class TypeConnection extends Interface {
TypeConnection() { hasQualifiedName("java.sql", "Connection") }
}
/** The interface `java.sql.PreparedStatement`. */
class TypePreparedStatement extends Interface {
TypePreparedStatement() { hasQualifiedName("java.sql", "PreparedStatement") }
}
/** The interface `java.sql.ResultSet`. */
class TypeResultSet extends Interface {
TypeResultSet() { hasQualifiedName("java.sql", "ResultSet") }
}
/** The interface `java.sql.Statement`. */
class TypeStatement extends Interface {
TypeStatement() { hasQualifiedName("java.sql", "Statement") }
}
/*--- Methods ---*/
/** A method with the name `prepareStatement` declared in `java.sql.Connection`. */
class ConnectionPrepareStatement extends Method {
ConnectionPrepareStatement() {
getDeclaringType() instanceof TypeConnection and
hasName("prepareStatement")
}
}
/** A method with the name `prepareCall` declared in `java.sql.Connection`. */
class ConnectionPrepareCall extends Method {
ConnectionPrepareCall() {
getDeclaringType() instanceof TypeConnection and
hasName("prepareCall")
}
}
/** A method with the name `executeQuery` declared in `java.sql.Statement`. */
class StatementExecuteQuery extends Method {
StatementExecuteQuery() {
getDeclaringType() instanceof TypeStatement and
hasName("executeQuery")
}
}
/** A method with the name `execute` declared in `java.sql.Statement`. */
class MethodStatementExecute extends Method {
MethodStatementExecute() {
getDeclaringType() instanceof TypeStatement and
hasName("execute")
}
}
/** A method with the name `executeUpdate` declared in `java.sql.Statement`. */
class MethodStatementExecuteUpdate extends Method {
MethodStatementExecuteUpdate() {
getDeclaringType() instanceof TypeStatement and
hasName("executeUpdate")
}
}
/** A method with the name `executeLargeUpdate` declared in `java.sql.Statement`. */
class MethodStatementExecuteLargeUpdate extends Method {
MethodStatementExecuteLargeUpdate() {
getDeclaringType() instanceof TypeStatement and
hasName("executeLargeUpdate")
}
}
/** A method with the name `addBatch` declared in `java.sql.Statement`. */
class MethodStatementAddBatch extends Method {
MethodStatementAddBatch() {
getDeclaringType() instanceof TypeStatement and
hasName("addBatch")
}
}
/** A method with the name `getString` declared in `java.sql.ResultSet`. */
class ResultSetGetStringMethod extends Method {
ResultSetGetStringMethod() {
getDeclaringType() instanceof TypeResultSet and
hasName("getString") and
getReturnType() instanceof TypeString
}
}
/*--- Other definitions ---*/
/**
* An expression representing SQL code that occurs as an argument of
* a method in `java.sql.Connection` or `java.sql.Statement`.
*/
class SqlExpr extends Expr {
SqlExpr() {
exists(MethodAccess call, Method method |
call.getArgument(0) = this and
method = call.getMethod() and
(
method instanceof ConnectionPrepareStatement or
method instanceof ConnectionPrepareCall or
method instanceof StatementExecuteQuery or
method instanceof MethodStatementExecute or
method instanceof MethodStatementExecuteUpdate or
method instanceof MethodStatementExecuteLargeUpdate or
method instanceof MethodStatementAddBatch
)
)
}
}