exercise8.ql

/**
 * Exercise 8: Combine your solutions from the previous exercise into a final solution.
 *
 * @name XWiki ratings SQLi
 * @description SQL injection vulnerability in XWiki's ratings component. Disable the component or upgrade to resolve the issue.
 * @id java/cve-2021-21380
 * @kind path-problem
 * @problem.severity error
 * @precision high
 * @tags security external/cwe/cwe-89
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.SqlInjectionQuery
import QueryInjectionFlow::PathGraph

module XWiki {
  class Component extends Class {
    Component() {
      this.getAnAnnotation()
          .getType()
          .hasQualifiedName("org.xwiki.component.annotation", "Component")
    }
  }

  class ScriptComponent extends Component {
    ScriptComponent() { this.getASupertype().hasName("ScriptService") }
  }

  class ScriptComponentMethodParameterSource extends RemoteFlowSource {
    ScriptComponentMethodParameterSource() {
      exists(ScriptComponent scriptComponent, Method apiMethod |
        scriptComponent.getAMethod() = apiMethod and
        apiMethod.isPublic() and
        apiMethod.getAParameter() = this.asParameter()
      )
    }

    override string getSourceType() { result = "XWiki component method parameter" }
  }

  class StorageInterface extends Interface {
    StorageInterface() { this.hasQualifiedName("com.xpn.xwiki.store", "XWikiStoreInterface") }
  }

  class DataStoreSink extends QueryInjectionSink {
    DataStoreSink() {
      exists(StorageInterface storeInterface, MethodCall storeCall |
        storeCall.getQualifier().getType() = storeInterface
      |
        storeCall.getAnArgument() = this.asExpr()
      )
    }
  }
}

from QueryInjectionFlow::PathNode source, QueryInjectionFlow::PathNode sink
where QueryInjectionFlow::flowPath(source, sink)
select sink, source, sink, "Possible query injection from $@", source.getNode(), "source"