flow template

2025-12-16 10:33:03 +01:00 · 2025-05-21 11:45:52 -07:00
parent 36c265d4c3
commit 16bdbbb202
1 changed files with 33 additions and 2 deletions
--- a/trivial.ql
+++ b/trivial.ql
@@ -32,8 +32,39 @@ class FindBuf extends VariableAccess {
  }
 }

-from FindBuf buf
-select buf
+// from FindBuf buf
+// select buf

 // 2. sink:  rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+class FindQuery extends VariableAccess {
+  FindQuery() {
+    exists(FunctionCall read |
+      read.getArgument(1) = this and
+      read.getTarget().getName() = "sqlite3_exec"
+    )
+  }
+}
+
+// from FindQuery fq
+// select fq
+
 // 3. dataflow between them
+
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+module SqliFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+  }
+   predicate isSink(DataFlow::Node sink) {
+   }
+
+}
+
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"
+