hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 18:23:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

add flow with module boilerplate

Browse Source
This commit is contained in:
Michael Hohn
2025-03-03 11:21:04 -08:00
committed by =Michael Hohn
parent ea0311f339
commit 00bd07be2b
1 changed files with 25 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
session.ql
View File

@@ -26,14 +26,14 @@ class DataSource extends VariableAccess {
class DataSink extends Expr { class DataSink extends Expr {
DataSink() { DataSink() {
exists(FunctionCall read | exists(FunctionCall read |
read.getTarget().getName() = "sqlite3_exec" and read.getTarget().getName() = "sqlite3_exec" and
read.getArgument(1) = this read.getArgument(1) = this
) )
} }
} }
from DataSource ds // from DataSource ds
select ds // select ds
// from FunctionCall exec, Expr query // from FunctionCall exec, Expr query
@@ -52,3 +52,24 @@ select ds
// DFG Data flow graph // DFG Data flow graph
// Type hierarchy // Type hierarchy
// //
import semmle.code.cpp.dataflow.new.TaintTracking
module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
}
predicate isSink(DataFlow::Node sink) {
}
}
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"