sql injection: Flow configuration template

2025-12-16 02:03:05 +01:00 · 2020-07-20 13:53:10 -07:00
parent b241632815
commit e31039dd64
1 changed files with 26 additions and 0 deletions
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -0,0 +1,26 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/SQLIVulnerable
+ * @problem.severity warning
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+class SqliFlowConfig extends TaintTracking::Configuration {
+    SqliFlowConfig() { this = "SqliFlow" }
+
+    override predicate isSource(DataFlow::Node source) { any() }
+
+    override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
+
+    override predicate isSink(DataFlow::Node sink) { any() }
+}
+
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"