1. import java
    2. import semmle.code.java.dataflow.DataFlow
    3. import semmle.code.java.dataflow.FlowSources
    4. import semmle.code.java.dataflow.TaintTracking
    6. class MyTaintTrackingConfiguration extends TaintTracking::Configuration {
    7.     MyTaintTrackingConfiguration() {
    8.         this = "MyTaintTrackingConfiguration"
    9.     }
    11.     override predicate isSource(DataFlow::Node source) {
    12.         exists(source.asParameter())
    13.     }
    15.     override predicate isSink(DataFlow::Node sink) {
    16.         exists(Call call |
    17.             sink.asExpr() = call.getArgument(0) and
    18.             call.getCallee().hasQualifiedName("java.sql", "Statement", "executeQuery")
    19.         )
    20.     }
    21. }
    23. from DataFlow::Node source, DataFlow::Node sink, TaintTracking::Configuration config
    24. where config.hasFlow(source, sink)
    25. select source, sink

    优化RemoteFlowSource,增加对RequestParam标注的支持

    1. class MySource extends DataFlow::Node {
    2.     MySource() {
    3.       exists(Annotation ann,AnnotationType anntp|
    4.         this instanceof RemoteFlowSource or (
    5.             anntp.hasQualifiedName("org.springframework.web.bind.annotation", "RequestParam") and
    6.             ann.getType() = anntp and
    7.             this.asParameter().getAnAnnotation() = ann
    8.             )
    9.       )
    10.     }
    11. }
    12. class MyTaintTrackingConfiguration extends TaintTracking::Configuration {
    13.     MyTaintTrackingConfiguration() {
    14.         this = "MyTaintTrackingConfiguration"
    15.     }
    17.     override predicate isSource(DataFlow::Node source) {
    18.         source instanceof MySource
    19.     }
    21.     override predicate isSink(DataFlow::Node sink) {
    22.         exists(Call call |
    23.             sink.asExpr() = call.getArgument(0) and
    24.             call.getCallee().hasQualifiedName("java.sql", "Statement", "executeQuery")
    25.         )
    26.     }
    27. }