hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix flow indirection

Browse Source
This commit is contained in:
Michael Hohn
2025-03-03 12:04:02 -08:00
committed by =Michael Hohn
parent 7ec8b18eac
commit 684b4c145a
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
SqlInjection.ql
View File

@@ -1,10 +1,10 @@
/** /**
* @name SQLI Vulnerability * @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks. * @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem * @kind path-problem
* @id cpp/sqlivulnerable * @id cpp/sqlivulnerable
* @problem.severity warning * @problem.severity warning
*/ */
import cpp import cpp
import semmle.code.cpp.dataflow.new.TaintTracking import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,7 +15,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// count = read(STDIN_FILENO, buf, BUFSIZE); // count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read | exists(FunctionCall read |
read.getTarget().getName() = "read" and read.getTarget().getName() = "read" and
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
) )
} }
@@ -31,7 +31,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// #endif // #endif
exists(FunctionCall printf | exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
// very specific: shifted index for macro. // very specific: shifted index for macro.
printf.getArgument(6) = into.asExpr() printf.getArgument(6) = into.asExpr()
) )
@@ -41,7 +41,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec | exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asExpr() exec.getArgument(1) = sink.asIndirectArgument()
) )
} }
} }
@@ -52,3 +52,4 @@ import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink) where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection" select sink, source, sink, "Possible SQL injection"