hohn/codeql-c-sqli
1
0
Fork 0
mirror of https://github.com/hohn/codeql-c-sqli.git synced 2025-12-16 10:33:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

reduced copy from codeql-dataflow-sql-injection

Browse Source
This commit is contained in:
Michael Hohn
2025-03-04 19:28:11 -08:00
committed by =Michael Hohn
commit 834ef46858
9 changed files with 465 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
SqlInjection.ql Normal file
View File

@@ -0,0 +1,55 @@
/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp
import semmle.code.cpp.dataflow.new.TaintTracking
module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
)
}
predicate isBarrier(DataFlow::Node sanitizer) { none() }
// predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
// // Extra taint step
// // snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// // But snprintf is a macro on mac os. The actual function's name is
// // #undef snprintf
// // #define snprintf(str, len, ...) \
// // __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
// // #endif
// exists(FunctionCall printf |
// printf.getTarget().getName().matches("%snprintf%") and
// printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
// // very specific: shifted index for macro.
// printf.getArgument(6) = into.asExpr()
// )
// }
predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asIndirectArgument()
)
}
}
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"