hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

sql injection: use post-update nodes for function return values

Browse Source
This commit is contained in:
Michael Hohn
2020-07-20 16:16:40 -07:00
committed by =Michael Hohn
parent 5bce3ae696
commit ba3cfcb010
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
SqlInjection.ql
View File

@@ -17,7 +17,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
// count = read(STDIN_FILENO, buf, BUFSIZE); // count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read | exists(FunctionCall read |
read.getTarget().getName() = "read" and read.getTarget().getName() = "read" and
read.getArgument(1) = source.asExpr() read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
) )
} }
@@ -33,7 +33,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
// #endif // #endif
exists(FunctionCall printf | exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.asExpr() and printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
// very specific: shifted index for macro. We can generalize this to consider // very specific: shifted index for macro. We can generalize this to consider
// all trailing arguments as sources. // all trailing arguments as sources.
printf.getArgument(6) = into.asExpr() printf.getArgument(6) = into.asExpr()