Use asIndirecArgument

add flow with module boilerplate
fix add-user.c
2025-12-18 19:13:04 +01:00 · 2025-03-03 11:54:46 -08:00 · 2025-03-03 11:21:04 -08:00 · 2025-03-03 11:11:52 -08:00 · 2025-03-03 10:22:40 -08:00 · 2025-03-03 10:15:25 -08:00
3 changed files with 97 additions and 24 deletions
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -1,10 +1,10 @@
 /**
-* @name SQLI Vulnerability
-* @description Using untrusted strings in a sql query allows sql injection attacks.
-* @kind path-problem
-* @id cpp/sqlivulnerable
-* @problem.severity warning
-*/
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/sqlivulnerable
+ * @problem.severity warning
+ */

 import cpp
 import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,17 +15,33 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
        // count = read(STDIN_FILENO, buf, BUFSIZE);
        exists(FunctionCall read |
            read.getTarget().getName() = "read" and
-            read.getArgument(1) = source.asDefiningArgument()
+            read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
        )
    }

    predicate isBarrier(DataFlow::Node sanitizer) { none() }

+    predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
+        // Extra taint step
+        //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+        // But snprintf is a macro on mac os.  The actual function's name is
+        //     #undef snprintf
+        //     #define snprintf(str, len, ...) \
+        //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
+        //     #endif
+        exists(FunctionCall printf |
+            printf.getTarget().getName().matches("%snprintf%") and
+            printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
+            // very specific: shifted index for macro.
+            printf.getArgument(6) = into.asExpr()
+        )
+    }
+
    predicate isSink(DataFlow::Node sink) {
        // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
        exists(FunctionCall exec |
            exec.getTarget().getName() = "sqlite3_exec" and
-            exec.getArgument(1) = sink.asIndirectArgument()
+            exec.getArgument(1) = sink.asExpr()
        )
    }
 }
@@ -36,4 +52,3 @@ import MyFlow::PathGraph
 from  MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink, source, sink, "Possible SQL injection"
-
--- a/cpp-sqli-3fe610d-1.zip
+++ b/cpp-sqli-3fe610d-1.zip
--- a/session.ql
+++ b/session.ql
@@ -1,29 +1,90 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/sqlivulnerable
+ * @problem.severity warning
+ */
+
 import cpp

 // 1. invalid input -- source
 //    count = read(STDIN_FILENO, buf, BUFSIZE - 1);
 //
+
+class DataSource extends VariableAccess {
+    DataSource() {
+      exists(FunctionCall read |
+        read.getTarget().getName() = "read" and
+        read.getArgument(1) = this
+      )
+    }
+  }
+
+// from DataSource buf
+// select buf
+  
 // 2. gets to a sql statement -- flow
 //    flow config
 //
 // 3. drops table -- sink
 //    rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+
+
+class DataSink extends Expr {
+    DataSink() {
+      exists(FunctionCall read |
+       read.getTarget().getName() = "sqlite3_exec" and
+       read.getArgument(1) = this
+      )
+    }
+  }
+
+// from DataSource ds
+// select ds
+
+
+// from FunctionCall exec, Expr query 
+// where exec.getTarget().getName() = "sqlite3_exec" and
+// exec.getArgument(1) = query
+// select query
+// from StmtParent st
+// where not (st instanceof VariableAccess)
+// select st
+
+
+
 // All predicates and classes are using one of:
 // AST Abstract syntax tree
 // CFG Control flow graph
 // DFG Data flow graph
 // Type hierarchy
-class DataSource extends VariableAccess {
-  DataSource() {
-    exists(FunctionCall read |
-      read.getTarget().getName() = "read" and
-      read.getArgument(1) = this
-    )
-  }
+//
+
+
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+
+module SqliFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+        exists(DataSource ds |
+            source.asExpr() = ds
+            )
+    }
+
+    predicate isSink(DataFlow::Node sink) {
+        exists(DataSink ds |
+            sink.asExpr() = ds
+            )
+
+    }
+  
 }

-from FunctionCall read, VariableAccess buf
-where
-  read.getTarget().getName() = "read" and
-  read.getArgument(1) = buf
-select buf
+
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+import MyFlow::PathGraph
+
+from  MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"
Author	SHA1	Message	Date
Michael Hohn	92a678414d	Use asIndirecArgument	2025-03-03 11:54:46 -08:00
Michael Hohn	00bd07be2b	add flow with module boilerplate	2025-03-03 11:21:04 -08:00
Michael Hohn	ea0311f339	fix add-user.c	2025-03-03 11:11:52 -08:00
Michael Hohn	ade70e9b32	fixes for db	2025-03-03 10:22:40 -08:00
Michael Hohn	03c38d3c89	remove db	2025-03-03 10:15:25 -08:00
Michael Hohn	c532be53d4	first session	2025-03-02 21:28:48 -08:00