sql injection: try flow configuration (with pathgraph). Not ready

2025-12-16 10:13:04 +01:00 · 2020-07-20 14:26:44 -07:00
parent 7aa51e67c8
commit aa5d019740
1 changed files with 4 additions and 10 deletions
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -8,6 +8,7 @@

 import cpp
 import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph

 class SqliFlowConfig extends TaintTracking::Configuration {
    SqliFlowConfig() { this = "SqliFlow" }
@@ -33,13 +34,6 @@ class SqliFlowConfig extends TaintTracking::Configuration {
    }
 }

-// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-// where conf.hasFlowPath(source, sink)
-// select sink, source, sink, "Possible SQL injection"
-// Sink identification
-// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
-from FunctionCall exec, DataFlow::Node sink
-where
-    exec.getTarget().getName() = "sqlite3_exec" and
-    exec.getArgument(1) = sink.asExpr()
-select exec, sink
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"