From 92a678414d948dbfec852453d451b9a949f3d7ba Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Mon, 3 Mar 2025 11:54:46 -0800 Subject: [PATCH] Use asIndirecArgument --- SqlInjection.ql | 4 ++-- session.ql | 17 ++++++++++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/SqlInjection.ql b/SqlInjection.ql index b388109..54c0e73 100644 --- a/SqlInjection.ql +++ b/SqlInjection.ql @@ -15,7 +15,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig { // count = read(STDIN_FILENO, buf, BUFSIZE); exists(FunctionCall read | read.getTarget().getName() = "read" and - read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() + read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() ) } @@ -31,7 +31,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig { // #endif exists(FunctionCall printf | printf.getTarget().getName().matches("%snprintf%") and - printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and + printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and // very specific: shifted index for macro. printf.getArgument(6) = into.asExpr() ) diff --git a/session.ql b/session.ql index e1cf388..fd559f9 100644 --- a/session.ql +++ b/session.ql @@ -1,3 +1,11 @@ +/** + * @name SQLI Vulnerability + * @description Using untrusted strings in a sql query allows sql injection attacks. + * @kind path-problem + * @id cpp/sqlivulnerable + * @problem.severity warning + */ + import cpp // 1. invalid input -- source @@ -59,11 +67,18 @@ import semmle.code.cpp.dataflow.new.TaintTracking module SqliFlowConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { + exists(DataSource ds | + source.asExpr() = ds + ) } predicate isSink(DataFlow::Node sink) { + exists(DataSink ds | + sink.asExpr() = ds + ) + } - + }