From c0bedda06082fe276d8a5fda933415302b821f4a Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 22 Jul 2020 15:09:16 -0700 Subject: [PATCH] The isSource Predicate --- codeql-dataflow-sql-injection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/codeql-dataflow-sql-injection.md b/codeql-dataflow-sql-injection.md index f24dcfb..6dc34d1 100644 --- a/codeql-dataflow-sql-injection.md +++ b/codeql-dataflow-sql-injection.md @@ -536,8 +536,8 @@ select sink, source, sink, "Possible SQL injection" With the dataflow configuration in place, we just need to provide the details for source(s), sink(s), and taint step(s). -There are two more steps required to convert our previous queries for use in data -flow. These are covered next. +Some more steps are required to convert our previous queries for use in data +flow. These are covered here. ### The isSink Predicate Note that our previous queries used `Expr` nodes, but the taint query requires @@ -644,8 +644,8 @@ read by and written to by the `snprintf` function call. Because we are specifyi it as a *source*, the value of interest is the value *after* the call. We get this value by [casting](https://help.semmle.com/QL/ql-handbook/expressions.html#casts) to the -post-update node selector. Instead of `source.asExpr()`, we use -`source.(DataFlow::PostUpdateNode).getPreUpdateNode()` +post-update node. Instead of `source.asExpr()`, we use +`source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()` Last, we incorporate this into a predicate: