hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

The isSource Predicate

Browse Source
This commit is contained in:
Michael Hohn
2020-07-22 15:09:16 -07:00
committed by =Michael Hohn
parent fd27af2216
commit c0bedda060
1 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
codeql-dataflow-sql-injection.md
View File

@@ -536,8 +536,8 @@ select sink, source, sink, "Possible SQL injection"
With the dataflow configuration in place, we just need to provide the details for
source(s), sink(s), and taint step(s).
There are two more steps required to convert our previous queries for use in data
flow. These are covered next.
Some more steps are required to convert our previous queries for use in data
flow. These are covered here.
### The isSink Predicate
Note that our previous queries used `Expr` nodes, but the taint query requires
@@ -644,8 +644,8 @@ read by and written to by the `snprintf` function call. Because we are specifyi
it as a *source*, the value of interest is the value *after* the call. We get
this value by
[casting](https://help.semmle.com/QL/ql-handbook/expressions.html#casts) to the
post-update node selector. Instead of `source.asExpr()`, we use
`source.(DataFlow::PostUpdateNode).getPreUpdateNode()`
post-update node. Instead of `source.asExpr()`, we use
`source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()`
Last, we incorporate this into a predicate: