From 35d4c8006578a157d95dd1880fab59721e9e4922 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Tue, 20 May 2025 11:46:40 -0700 Subject: [PATCH] update postexprnode -> asDefiningArgument --- SqlInjection.ql | 78 ++++++++++++++++++------------------ codeql-c-sqli.code-workspace | 3 +- 2 files changed, 40 insertions(+), 41 deletions(-) diff --git a/SqlInjection.ql b/SqlInjection.ql index 47e8794..63c1d94 100644 --- a/SqlInjection.ql +++ b/SqlInjection.ql @@ -1,55 +1,53 @@ /** -* @name SQLI Vulnerability -* @description Using untrusted strings in a sql query allows sql injection attacks. -* @kind path-problem -* @id cpp/sqlivulnerable -* @problem.severity warning -*/ + * @name SQLI Vulnerability + * @description Using untrusted strings in a sql query allows sql injection attacks. + * @kind path-problem + * @id cpp/sqlivulnerable + * @problem.severity warning + */ import cpp import semmle.code.cpp.dataflow.new.TaintTracking module SqliFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // count = read(STDIN_FILENO, buf, BUFSIZE); + exists(FunctionCall read | + read.getTarget().getName() = "read" and + read.getArgument(1) = source.asDefiningArgument() //.asExpr() + ) + } - predicate isSource(DataFlow::Node source) { - // count = read(STDIN_FILENO, buf, BUFSIZE); - exists(FunctionCall read | - read.getTarget().getName() = "read" and - read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() - ) - } + predicate isBarrier(DataFlow::Node sanitizer) { none() } - predicate isBarrier(DataFlow::Node sanitizer) { none() } - - // predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) { - // // Extra taint step - // // snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info); - // // But snprintf is a macro on mac os. The actual function's name is - // // #undef snprintf - // // #define snprintf(str, len, ...) \ - // // __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__) - // // #endif - // exists(FunctionCall printf | - // printf.getTarget().getName().matches("%snprintf%") and - // printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and - // // very specific: shifted index for macro. - // printf.getArgument(6) = into.asExpr() - // ) - // } - - predicate isSink(DataFlow::Node sink) { - // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); - exists(FunctionCall exec | - exec.getTarget().getName() = "sqlite3_exec" and - exec.getArgument(1) = sink.asIndirectArgument() - ) - } + predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) { + // Extra taint step + // snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info); + // But snprintf is a macro on mac os. The actual function's name is + // #undef snprintf + // #define snprintf(str, len, ...) \ + // __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__) + // #endif + exists(FunctionCall printf | + printf.getTarget().getName().matches("%snprintf%") and + printf.getArgument(0) = out.asDefiningArgument() and + // very specific: shifted index for macro. + printf.getArgument(6) = into.asIndirectArgument() + ) + } + predicate isSink(DataFlow::Node sink) { + // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); + exists(FunctionCall exec | + exec.getTarget().getName() = "sqlite3_exec" and + exec.getArgument(1) = sink.asIndirectArgument() + ) + } } module MyFlow = TaintTracking::Global; + import MyFlow::PathGraph -from MyFlow::PathNode source, MyFlow::PathNode sink +from MyFlow::PathNode source, MyFlow::PathNode sink where MyFlow::flowPath(source, sink) select sink, source, sink, "Possible SQL injection" - diff --git a/codeql-c-sqli.code-workspace b/codeql-c-sqli.code-workspace index aa98b17..1645c61 100644 --- a/codeql-c-sqli.code-workspace +++ b/codeql-c-sqli.code-workspace @@ -6,6 +6,7 @@ ], "settings": { "codeQL.runningQueries.autoSave": true, - "makefile.configureOnOpen": false + "makefile.configureOnOpen": false, + "sarif-viewer.connectToGithubCodeScanning": "off" } }