hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 18:23:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

updates for module system; include a db

Browse Source
This commit is contained in:
Michael Hohn
2025-02-17 17:09:04 -08:00
committed by =Michael Hohn
parent c1b3c8d901
commit f3b703a35f
267 changed files with 56982 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
SqlInjection.ql
View File

@@ -2,18 +2,16 @@
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/SQLIVulnerable
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
import semmle.code.cpp.dataflow.new.TaintTracking
class SqliFlowConfig extends TaintTracking::Configuration {
SqliFlowConfig() { this = "SqliFlow" }
module SqliFlowConfig implements DataFlow::ConfigSig {
override predicate isSource(DataFlow::Node source) {
predicate isSource(DataFlow::Node source) {
// count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read |
read.getTarget().getName() = "read" and
@@ -21,9 +19,9 @@ class SqliFlowConfig extends TaintTracking::Configuration {
)
}
override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
predicate isBarrier(DataFlow::Node sanitizer) { none() }
override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// But snprintf is a macro on mac os. The actual function's name is
@@ -39,7 +37,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
)
}
override predicate isSink(DataFlow::Node sink) {
predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
@@ -48,6 +46,9 @@ class SqliFlowConfig extends TaintTracking::Configuration {
}
}
from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink)
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"