How to fetch all variable in java class #7129

Shinpachi8 · 2021-11-15T11:24:25Z

Shinpachi8
Nov 15, 2021

When I use codeql for java, there is a case that i need.
Some Variable in Springboot RequestMapping annoation, just like this

    /**
     * 删除
     */
    @RequestMapping(value = "/carousels", method = RequestMethod.DELETE)
    @ApiOperation(value = "批量删除轮播图信息", notes = "批量删除轮播图信息")
    public Result delete(@RequestBody BatchIdParam batchIdParam, @TokenToAdminUser AdminUserToken adminUser) {
        logger.info("adminUser:{}", adminUser.toString());

and the Parameter is not a primary type, so i wanna search the variable in the Class AdminUserToken

@Data
public class AdminUserToken {
    private Long adminUserId;

    private String token;

    private Date updateTime;

    private Date expireTime;
}

how could I use codeql to fetch the variable like token, updateTime and it's type?
I use the code to try, but it returns no alert or raw result. can anyone help me?

from Class cls//Field field//int j , VarAccess type, Variable var
where 
    cls.getQualifiedName().matches("%AdminUserToken%")

select cls, cls.getAField(), cls.getFile().toString(), "cls2"
// select method, getAllData(method, 0), getValueUrl(anno)

Answered by Shinpachi8

Nov 16, 2021

OK, I got it.
The reason why i can not get field in AdminUserToken is that AdminUserToken is Lombok-ed type,
So we can decode lombok and recreate the database.

get a copy of lombok.jar

wget https://projectlombok.org/downloads/lombok.jar -O "lombok.jar"

run "delombok" on the source files and write the generated files to a folder named "delombok"

java -jar "lombok.jar" delombok -n --onlyChanged . -d "delombok"

remove "generated by" comments

find "delombok" -name '*.java' -exec sed '/Generated by delombok/d' -i '{}' ';'

remove any left-over import statements

find "delombok" -name '*.java' -exec sed '/import lombok/d' -i '{}' ';'

copy delombok'd files over the original ones

cp -r "delombok/."…

View full answer

Shinpachi8 · 2021-11-16T07:06:12Z

Shinpachi8
Nov 16, 2021
Author

OK, I got it.
The reason why i can not get field in AdminUserToken is that AdminUserToken is Lombok-ed type,
So we can decode lombok and recreate the database.

get a copy of lombok.jar

wget https://projectlombok.org/downloads/lombok.jar -O "lombok.jar"

run "delombok" on the source files and write the generated files to a folder named "delombok"

java -jar "lombok.jar" delombok -n --onlyChanged . -d "delombok"

remove "generated by" comments

find "delombok" -name '*.java' -exec sed '/Generated by delombok/d' -i '{}' ';'

remove any left-over import statements

find "delombok" -name '*.java' -exec sed '/import lombok/d' -i '{}' ';'

copy delombok'd files over the original ones

cp -r "delombok/." "./"

remove the "delombok" folder

rm -rf "delombok"

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

How to fetch all variable in java class #7129

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How to fetch all variable in java class #7129

Uh oh!

Shinpachi8 Nov 15, 2021

get a copy of lombok.jar

run "delombok" on the source files and write the generated files to a folder named "delombok"

remove "generated by" comments

remove any left-over import statements

copy delombok'd files over the original ones

Replies: 1 comment

Uh oh!

Shinpachi8 Nov 16, 2021 Author

get a copy of lombok.jar

run "delombok" on the source files and write the generated files to a folder named "delombok"

remove "generated by" comments

remove any left-over import statements

copy delombok'd files over the original ones

remove the "delombok" folder

Shinpachi8
Nov 15, 2021

Shinpachi8
Nov 16, 2021
Author