mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-15 20:05:13 +02:00
21 lines
947 B
Java
21 lines
947 B
Java
// Hibernate `session.createNativeQuery` SQLi via arbitrary-named
|
|
// receiver bound from `sessionFactory.openSession()`. The flat
|
|
// `session.createNativeQuery` matcher in `labels/java.rs` only fires
|
|
// when the receiver is literally named `session`; for any other name
|
|
// (`sess` here) the type-qualified `HibernateSession.createNativeQuery`
|
|
// rule fires via the `TypeKind::HibernateSession` fact attached to the
|
|
// SSA value returned by `sessionFactory.openSession()`.
|
|
package com.example;
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
import org.hibernate.Session;
|
|
import org.hibernate.SessionFactory;
|
|
|
|
public class SqliJavaHibernateNamedSession {
|
|
public void lookup(HttpServletRequest request, SessionFactory sf) {
|
|
String name = request.getParameter("name");
|
|
String sql = String.format("SELECT * FROM users WHERE name = '%s'", name);
|
|
Session sess = sf.openSession();
|
|
sess.createNativeQuery(sql);
|
|
}
|
|
}
|