hohn/codeql-c-sqli
1
0
Fork 0
mirror of https://github.com/hohn/codeql-c-sqli.git synced 2025-12-16 18:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

flow fixed

Browse Source
This commit is contained in:
Michael Hohn
2025-05-21 12:08:34 -07:00
committed by =Michael Hohn
parent 16bdbbb202
commit 61804125e3
1 changed files with 15 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
trivial.ql
View File

@@ -1,3 +1,12 @@
/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp import cpp
// 1. source: count = read(STDIN_FILENO, buf, BUFSIZE); // 1. source: count = read(STDIN_FILENO, buf, BUFSIZE);
@@ -22,7 +31,6 @@ import cpp
// from VariableAccess buf // from VariableAccess buf
// where findBuf(buf) // where findBuf(buf)
// select buf // select buf
class FindBuf extends VariableAccess { class FindBuf extends VariableAccess {
FindBuf() { FindBuf() {
exists(FunctionCall read | exists(FunctionCall read |
@@ -34,7 +42,6 @@ class FindBuf extends VariableAccess {
// from FindBuf buf // from FindBuf buf
// select buf // select buf
// 2. sink: rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // 2. sink: rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
class FindQuery extends VariableAccess { class FindQuery extends VariableAccess {
FindQuery() { FindQuery() {
@@ -47,24 +54,21 @@ class FindQuery extends VariableAccess {
// from FindQuery fq // from FindQuery fq
// select fq // select fq
// 3. dataflow between them // 3. dataflow between them
import semmle.code.cpp.dataflow.new.TaintTracking import semmle.code.cpp.dataflow.new.TaintTracking
module SqliFlowConfig implements DataFlow::ConfigSig { module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { predicate isSource(DataFlow::Node source) {
} exists(FindBuf fb | source.asDefiningArgument() = fb) }
predicate isSink(DataFlow::Node sink) {
}
predicate isSink(DataFlow::Node sink) {
exists(FindQuery fq |sink.asIndirectArgument() = fq) }
} }
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
import MyFlow::PathGraph import MyFlow::PathGraph
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
from MyFlow::PathNode source, MyFlow::PathNode sink from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink) where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection" select sink, source, sink, "Possible SQL injection"