Merge pull request #21749 from github/copilot/add-hibernate-sql-injection-tests

Add Hibernate SQL injection sink models and coverage

Author: owen-mc

java/ql/lib/change-notes/2026-04-23-hibernate-queryproducer-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Hibernate `org.hibernate.query.QueryProducer` methods `createNativeMutationQuery`, `createMutationQuery`, and `createSelectionQuery`.

java/ql/lib/ext/org.hibernate.query.model.yml

@@ -4,5 +4,8 @@ extensions:
       extensible: sinkModel
     data:
       - ["org.hibernate.query", "QueryProducer", True, "createNativeQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createNativeMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["org.hibernate.query", "QueryProducer", True, "createQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createMutationQuery", "", "", "Argument[0]", "sql-injection", "manual"]
+      - ["org.hibernate.query", "QueryProducer", True, "createSelectionQuery", "", "", "Argument[0]", "sql-injection", "manual"]
       - ["org.hibernate.query", "QueryProducer", True, "createSQLQuery", "", "", "Argument[0]", "sql-injection", "manual"]

java/ql/test/query-tests/security/CWE-089/semmle/examples/Hibernate.java

@@ -0,0 +1,25 @@
+import org.hibernate.Session;
+import org.hibernate.SharedSessionContract;
+import org.hibernate.query.QueryProducer;
+
+public class Hibernate {
+
+  public static String source() { return null; }
+
+  public static void test(
+      Session session, SharedSessionContract sharedSessionContract, QueryProducer queryProducer) {
+    session.createQuery(source()); // $ sqlInjection
+    session.createSQLQuery(source()); // $ sqlInjection
+
+    sharedSessionContract.createQuery(source()); // $ sqlInjection
+    sharedSessionContract.createSQLQuery(source()); // $ sqlInjection
+
+    queryProducer.createNativeQuery(source()); // $ sqlInjection
+    queryProducer.createNativeMutationQuery(source()); // $ sqlInjection
+    queryProducer.createQuery(source()); // $ sqlInjection
+    queryProducer.createMutationQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source()); // $ sqlInjection
+    queryProducer.createSelectionQuery(source(), Object.class); // $ sqlInjection
+    queryProducer.createSQLQuery(source()); // $ sqlInjection
+  }
+}

java/ql/test/query-tests/security/CWE-089/semmle/examples/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0 --release 21
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/mongodbClient:${testdir}/../../../../../stubs/couchbaseClient:${testdir}/../../../../../stubs/springframework-5.8.x:${testdir}/../../../../../stubs/apache-hive:${testdir}/../../../../../stubs/jakarta-persistence-api-3.2.0:${testdir}/../../../../../stubs/hibernate-5.x --release 21