hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

from...where...select with class

Browse Source
This commit is contained in:
Michael Hohn
2025-02-18 19:21:30 -08:00
committed by =Michael Hohn
parent e6b23a9d86
commit 01048300c0
2 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
add-user.c
View File

@@ -93,7 +93,7 @@ int main(int argc, char* argv[]) {
info = get_user_info(); info = get_user_info();
id = get_new_id(); id = get_new_id();
write_info(id, info); write_info(id, info);
free(info); free(info);
/* /*
* show_info(id); * show_info(id);
*/ */

15
session.ql
View File

@@ -1,4 +1,3 @@
import cpp import cpp
// 1. invalid input -- source // 1. invalid input -- source
@@ -9,14 +8,22 @@ import cpp
// //
// 3. drops table -- sink // 3. drops table -- sink
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
// All predicates and classes are using one of: // All predicates and classes are using one of:
// AST Abstract syntax tree // AST Abstract syntax tree
// CFG Control flow graph // CFG Control flow graph
// DFG Data flow graph // DFG Data flow graph
// Type hierarchy // Type hierarchy
class DataSource extends VariableAccess {
DataSource() {
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = this
)
}
}
from FunctionCall read, VariableAccess buf from FunctionCall read, VariableAccess buf
where read.getTarget().getName() = "read" and where
read.getArgument(1) = buf read.getTarget().getName() = "read" and
read.getArgument(1) = buf
select buf select buf