微服务CodeQL越权查询demo

Java代码

@RequestMapping(value = "/testRequest",method = RequestMethod.GET)
public ModelAndView selectUser(int id) throws IoException(
Long userId = Long.parseLong(string.valueOf(id));
User user = this.userService.selectUser(userId);
ModelAndView mv = new ModelAndView() ;
string name = user.getUsername();
String email = user.getEmail();
mv.addobject("name", name);
mv.addobject("email",email);
return mv;

CodeQL代码​

from RequestMapping rmapping, Method m, ModelAndView mv, Call c, UserService us, DataFlow df1, DataFlow df2
where rmapping.value = "/testRequest" and
rmapping.method = RequestMethod.GET and
rmapping.declaringType = m.declaringType and
m.hasAnnotation(rmapping) and
c.target = m and
c.returnValue = mv and
df1.to = c and
df1.from = df2.to and
df2.fromMethod = us.selectUser and
df1.from.kind = "PARAMETER" and
df1.from.name = "id"
select c, "越权查询"

原文始发于微信公众号（xsser的博客）：微服务CodeQL越权查询demo