hohn/codeql-c-sqli
1
0
Fork 0
mirror of https://github.com/hohn/codeql-c-sqli.git synced 2025-12-16 18:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

source predicate

Browse Source
This commit is contained in:
Michael Hohn
2025-05-21 11:32:24 -07:00
committed by =Michael Hohn
parent 35d4c80065
commit 36c265d4c3
1 changed files with 39 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
trivial.ql Normal file
View File

@@ -0,0 +1,39 @@
import cpp
// 1. source: count = read(STDIN_FILENO, buf, BUFSIZE);
// want buf
// from VariableAccess buf, FunctionCall read
// where read.getArgument(1) = buf and
// read.getTarget().getName() = "read"
// select read, buf
// predicate findBuf(VariableAccess buf, FunctionCall read) {
// read.getArgument(1) = buf and
// read.getTarget().getName() = "read"
// }
// from VariableAccess buf, FunctionCall read
// where findBuf(buf, read)
// select read, buf
// predicate findBuf(VariableAccess buf) {
// exists(FunctionCall read |
// read.getArgument(1) = buf and
// read.getTarget().getName() = "read"
// )
// }
// from VariableAccess buf
// where findBuf(buf)
// select buf
class FindBuf extends VariableAccess {
FindBuf() {
exists(FunctionCall read |
read.getArgument(1) = this and
read.getTarget().getName() = "read"
)
}
}
from FindBuf buf
select buf
// 2. sink: rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
// 3. dataflow between them