hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

The isSink Predicate

Browse Source
This commit is contained in:
Michael Hohn
2020-07-22 14:24:44 -07:00
committed by =Michael Hohn
parent f99935159b
commit 999f665ceb
1 changed files with 25 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
codeql-dataflow-sql-injection.md
View File

@@ -566,9 +566,33 @@ select exec, sink
```
Second, we need this as a predicate of a single argument, `predicate
isSink(DataFlow::Node sink)`
isSink(DataFlow::Node sink)`. For this we introduce the `exists()`
[quantifier](https://help.semmle.com/QL/ql-handbook/formulas.html?highlight=exists#exists)
to move the `FunctionCall exec` into the body of the query and remove it from the
result:
```ql
from DataFlow::Node sink
where
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
sink.asExpr() = exec.getArgument(1)
)
select sink
```
To turn this into a predicate, `from` contents become arguments, the `where`
becomes the body, and the `select` is dropped:
```ql
predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
sink.asExpr() = exec.getArgument(1)
)
}
```
### The Data Source