hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use asIndirecArgument

Browse Source
This commit is contained in:
Michael Hohn
2025-03-03 11:54:46 -08:00
committed by =Michael Hohn
parent 00bd07be2b
commit 92a678414d
2 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
SqlInjection.ql
View File

@@ -15,7 +15,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
)
}
@@ -31,7 +31,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// #endif
exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
// very specific: shifted index for macro.
printf.getArgument(6) = into.asExpr()
)

17
session.ql
View File

@@ -1,3 +1,11 @@
/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp
// 1. invalid input -- source
@@ -59,11 +67,18 @@ import semmle.code.cpp.dataflow.new.TaintTracking
module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(DataSource ds |
source.asExpr() = ds
)
}
predicate isSink(DataFlow::Node sink) {
exists(DataSink ds |
sink.asExpr() = ds
)
}
}