hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-19 11:23:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hohn:master
Branches Tags
hohn:master hohn:workshop-20250218
hohn:db-for-analysis hohn:presentation-1
..
compare: hohn:workshop-20250218
Branches Tags
hohn:master hohn:workshop-20250218
hohn:db-for-analysis hohn:presentation-1

6 Commits
master ... workshop-2

Author SHA1 Message Date
Michael Hohn
92a678414d Use asIndirecArgument 2025-03-03 11:54:46 -08:00
Michael Hohn
00bd07be2b add flow with module boilerplate 2025-03-03 11:21:04 -08:00
Michael Hohn
ea0311f339 fix add-user.c 2025-03-03 11:11:52 -08:00
Michael Hohn
ade70e9b32 fixes for db 2025-03-03 10:22:40 -08:00
Michael Hohn
03c38d3c89 remove db 2025-03-03 10:15:25 -08:00
Michael Hohn
c532be53d4 first session 2025-03-02 21:28:48 -08:00
3 changed files with 97 additions and 24 deletions
Expand all files Collapse all files

33
SqlInjection.ql
View File

@@ -1,10 +1,10 @@
/** /**
* @name SQLI Vulnerability * @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks. * @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem * @kind path-problem
* @id cpp/sqlivulnerable * @id cpp/sqlivulnerable
* @problem.severity warning * @problem.severity warning
*/ */
import cpp import cpp
import semmle.code.cpp.dataflow.new.TaintTracking import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,17 +15,33 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// count = read(STDIN_FILENO, buf, BUFSIZE); // count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read | exists(FunctionCall read |
read.getTarget().getName() = "read" and read.getTarget().getName() = "read" and
read.getArgument(1) = source.asDefiningArgument() read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
) )
} }
predicate isBarrier(DataFlow::Node sanitizer) { none() } predicate isBarrier(DataFlow::Node sanitizer) { none() }
predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// But snprintf is a macro on mac os. The actual function's name is
// #undef snprintf
// #define snprintf(str, len, ...) \
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
// #endif
exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
// very specific: shifted index for macro.
printf.getArgument(6) = into.asExpr()
)
}
predicate isSink(DataFlow::Node sink) { predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec | exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asIndirectArgument() exec.getArgument(1) = sink.asExpr()
) )
} }
} }
@@ -36,4 +52,3 @@ import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink) where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection" select sink, source, sink, "Possible SQL injection"

BIN
cpp-sqli-3fe610d-1.zip (Stored with Git LFS)
View File

Binary file not shown.

85
session.ql
View File

@@ -1,29 +1,90 @@
/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp import cpp
// 1. invalid input -- source // 1. invalid input -- source
// count = read(STDIN_FILENO, buf, BUFSIZE - 1); // count = read(STDIN_FILENO, buf, BUFSIZE - 1);
// //
class DataSource extends VariableAccess {
DataSource() {
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = this
)
}
}
// from DataSource buf
// select buf
// 2. gets to a sql statement -- flow // 2. gets to a sql statement -- flow
// flow config // flow config
// //
// 3. drops table -- sink // 3. drops table -- sink
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
class DataSink extends Expr {
DataSink() {
exists(FunctionCall read |
read.getTarget().getName() = "sqlite3_exec" and
read.getArgument(1) = this
)
}
}
// from DataSource ds
// select ds
// from FunctionCall exec, Expr query
// where exec.getTarget().getName() = "sqlite3_exec" and
// exec.getArgument(1) = query
// select query
// from StmtParent st
// where not (st instanceof VariableAccess)
// select st
// All predicates and classes are using one of: // All predicates and classes are using one of:
// AST Abstract syntax tree // AST Abstract syntax tree
// CFG Control flow graph // CFG Control flow graph
// DFG Data flow graph // DFG Data flow graph
// Type hierarchy // Type hierarchy
class DataSource extends VariableAccess { //
DataSource() {
exists(FunctionCall read |
read.getTarget().getName() = "read" and import semmle.code.cpp.dataflow.new.TaintTracking
read.getArgument(1) = this
)
} module SqliFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(DataSource ds |
source.asExpr() = ds
)
}
predicate isSink(DataFlow::Node sink) {
exists(DataSink ds |
sink.asExpr() = ds
)
}
} }
from FunctionCall read, VariableAccess buf
where module MyFlow = TaintTracking::Global<SqliFlowConfig>;
read.getTarget().getName() = "read" and import MyFlow::PathGraph
read.getArgument(1) = buf
select buf from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"