hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 02:03:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

sql injection: taintstep across macro under snprintf as predicate

Browse Source
This commit is contained in:
Michael Hohn
2020-07-20 14:58:25 -07:00
committed by =Michael Hohn
parent 4060f31100
commit 5bce3ae696
1 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
SqlInjection.ql
View File

@@ -23,7 +23,22 @@ class SqliFlowConfig extends TaintTracking::Configuration {
override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// But snprintf is a macro on mac os. The actual function's name is
// #undef snprintf
// #define snprintf(str, len, ...) \
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
// #endif
exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.asExpr() and
// very specific: shifted index for macro. We can generalize this to consider
// all trailing arguments as sources.
printf.getArgument(6) = into.asExpr()
)
}
override predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
@@ -34,22 +49,6 @@ class SqliFlowConfig extends TaintTracking::Configuration {
}
}
// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
// where conf.hasFlowPath(source, sink)
// select sink, source, sink, "Possible SQL injection"
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// But snprintf is a macro on mac os. The actual function's name is
// #undef snprintf
// #define snprintf(str, len, ...) \
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
// #endif
from FunctionCall printf, DataFlow::Node into, DataFlow::Node out
where
printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.asExpr() and
// very specific: shifted index for macro. We can generalize this to consider
// all trailing arguments as sources.
printf.getArgument(6) = into.asExpr()
select printf, into, out
from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink)
select sink, source, sink, "Possible SQL injection"