hohn/codeql-c-sqli
1
0
Fork 0
mirror of https://github.com/hohn/codeql-c-sqli.git synced 2025-12-16 18:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

flow template

Browse Source
This commit is contained in:
Michael Hohn
2025-05-21 11:45:52 -07:00
committed by =Michael Hohn
parent 36c265d4c3
commit 16bdbbb202
1 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
trivial.ql
View File

@@ -32,8 +32,39 @@ class FindBuf extends VariableAccess {
} }
} }
from FindBuf buf // from FindBuf buf
select buf // select buf
// 2. sink: rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // 2. sink: rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
class FindQuery extends VariableAccess {
FindQuery() {
exists(FunctionCall read |
read.getArgument(1) = this and
read.getTarget().getName() = "sqlite3_exec"
)
}
}
// from FindQuery fq
// select fq
// 3. dataflow between them // 3. dataflow between them
import semmle.code.cpp.dataflow.new.TaintTracking
module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
}
predicate isSink(DataFlow::Node sink) {
}
}
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"