sql injection: taintstep across macro under snprintf, with position adjustment

2025-12-16 10:13:04 +01:00 · 2020-07-20 14:46:13 -07:00
parent 45a5e89366
commit 4060f31100
1 changed files with 13 additions and 2 deletions
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -40,5 +40,16 @@ class SqliFlowConfig extends TaintTracking::Configuration {

 // Extra taint step
 //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+// But snprintf is a macro on mac os.  The actual function's name is
+//     #undef snprintf
+//     #define snprintf(str, len, ...) \
+//       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
+//     #endif
 from FunctionCall printf, DataFlow::Node into, DataFlow::Node out
-where printf.getTarget().getName() = "snprintf"
+where
+    printf.getTarget().getName().matches("%snprintf%") and
+    printf.getArgument(0) = out.asExpr() and
+    // very specific: shifted index for macro.  We can generalize this to consider
+    // all trailing arguments as sources.
+    printf.getArgument(6) = into.asExpr()
+select printf, into, out