hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 02:03:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

sql injection: sink as class predicate

Browse Source
This commit is contained in:
Michael Hohn
2020-07-20 14:20:32 -07:00
committed by =Michael Hohn
parent 1f385ddfe3
commit 7aa51e67c8
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
SqlInjection.ql
View File

@@ -13,6 +13,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
SqliFlowConfig() { this = "SqliFlow" }
override predicate isSource(DataFlow::Node source) {
// count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = source.asExpr()
@@ -23,13 +24,18 @@ class SqliFlowConfig extends TaintTracking::Configuration {
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
override predicate isSink(DataFlow::Node sink) { any() }
override predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asExpr()
)
}
}
// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
// where conf.hasFlowPath(source, sink)
// select sink, source, sink, "Possible SQL injection"
// Sink identification
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
from FunctionCall exec, DataFlow::Node sink