hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 10:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Insert updates from github.com:hohn/codeql.git

Browse Source
This commit is contained in:
Michael Hohn
2022-06-08 08:36:05 +02:00
committed by =Michael Hohn
parent 9d130f1466
commit dd664fe4ef
6 changed files with 247 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
codeql-dataflow-sql-injection.md
View File

@@ -65,7 +65,7 @@ If you get stuck, try searching our documentation and blog posts for help and id
- [Using the CodeQL extension for VS Code](https://help.semmle.com/codeql/codeql-for-vscode.html)
## Codeql Recap
This is a brief review of codeql taken from the [full
This is a brief review of CodeQL taken from the [full
introduction](https://git.io/JJqdS). For more details, see the [documentation
links](#documentation-links). We will revisit all of this during the tutorial.
@@ -89,7 +89,7 @@ select /* ... expressions ... */
The `from` clause specifies some variables that will be used in the query. The
`where` clause specifies some conditions on those variables in the form of logical
formulas. The `select` clauses speciifes what the results should be, and can refer
formulas. The `select` clauses specifies what the results should be, and can refer
to variables defined in the `from` clause.
The `from` clause is defined as a series of variable declarations, where each
@@ -206,9 +206,9 @@ This program can be compiled and linked, and a simple sqlite db created via
./build.sh
# Prepare db
./admin rm-db
./admin create-db
./admin show-db
./admin -r
./admin -c
./admin -s
```
Users can be added via `stdin` in several ways; the second is a pretend "server"
@@ -226,14 +226,14 @@ echo "User Outside" | ./add-user 2>> users.log
Check the db and log:
```
# Check
./admin show-db
./admin -s
tail -4 users.log
```
Looks ok:
```
0:$ ./admin show-db
0:$ ./admin -s
87797|First User
87808|User Outside
@@ -252,8 +252,8 @@ Johnny'); DROP TABLE users; --
And then we have this:
```sh
# And the problem:
./admin show-db
0:$ ./admin show-db
./admin -s
0:$ ./admin -s
Error: near line 2: no such table: users
```
@@ -580,7 +580,7 @@ the process of building and exploring the data flow path.
One such feature is adding additional taint steps. This is useful if you use
libraries which are not modelled by the default taint tracking. You can implement
this by overriding `isAdditionalTaintStep` predicate. This has two parameters, the
`from` and the `to` node, and essentially allows you to add extra edges into the
`from` and the `to` node, and it essentially allows you to add extra edges into the
taint tracking or data flow graph.
A starting configuration can look like the following, with details to be filled