mirror of
https://github.com/hohn/codeql-dataflow-sql-injection.git
synced 2025-12-18 11:03:04 +01:00
Compare commits
4 Commits
workshop-2
...
db-for-ana
| Author | SHA1 | Date | |
|---|---|---|---|
|
bc7cda5274 | ||
|
|
bf69cb0f45 | ||
|
|
684b4c145a | ||
|
|
7ec8b18eac |
@@ -15,33 +15,17 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
|
|||||||
// count = read(STDIN_FILENO, buf, BUFSIZE);
|
// count = read(STDIN_FILENO, buf, BUFSIZE);
|
||||||
exists(FunctionCall read |
|
exists(FunctionCall read |
|
||||||
read.getTarget().getName() = "read" and
|
read.getTarget().getName() = "read" and
|
||||||
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
|
read.getArgument(1) = source.asDefiningArgument()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate isBarrier(DataFlow::Node sanitizer) { none() }
|
predicate isBarrier(DataFlow::Node sanitizer) { none() }
|
||||||
|
|
||||||
predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
|
|
||||||
// Extra taint step
|
|
||||||
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
|
|
||||||
// But snprintf is a macro on mac os. The actual function's name is
|
|
||||||
// #undef snprintf
|
|
||||||
// #define snprintf(str, len, ...) \
|
|
||||||
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
|
|
||||||
// #endif
|
|
||||||
exists(FunctionCall printf |
|
|
||||||
printf.getTarget().getName().matches("%snprintf%") and
|
|
||||||
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
|
|
||||||
// very specific: shifted index for macro.
|
|
||||||
printf.getArgument(6) = into.asExpr()
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
predicate isSink(DataFlow::Node sink) {
|
predicate isSink(DataFlow::Node sink) {
|
||||||
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
||||||
exists(FunctionCall exec |
|
exists(FunctionCall exec |
|
||||||
exec.getTarget().getName() = "sqlite3_exec" and
|
exec.getTarget().getName() = "sqlite3_exec" and
|
||||||
exec.getArgument(1) = sink.asExpr()
|
exec.getArgument(1) = sink.asIndirectArgument()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -52,3 +36,4 @@ import MyFlow::PathGraph
|
|||||||
from MyFlow::PathNode source, MyFlow::PathNode sink
|
from MyFlow::PathNode source, MyFlow::PathNode sink
|
||||||
where MyFlow::flowPath(source, sink)
|
where MyFlow::flowPath(source, sink)
|
||||||
select sink, source, sink, "Possible SQL injection"
|
select sink, source, sink, "Possible SQL injection"
|
||||||
|
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
{"languages":{"cpp":{"displayName":"C/C++","files":["add-user.c"],"linesOfCode":78,"name":"cpp"}}}
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
---
|
|
||||||
sourceLocationPrefix: /Users/hohn/local/codeql-dataflow-sql-injection
|
|
||||||
baselineLinesOfCode: 78
|
|
||||||
unicodeNewlines: false
|
|
||||||
columnKind: utf8
|
|
||||||
primaryLanguage: cpp
|
|
||||||
creationMetadata:
|
|
||||||
sha: c1b3c8d901eacddbb7949a8ca3b8acc11ffbda86
|
|
||||||
cliVersion: 2.20.0
|
|
||||||
creationTime: 2025-02-18T01:07:10.558137Z
|
|
||||||
finalised: true
|
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -1 +0,0 @@
|
|||||||
20190805:20220702:20240828:20241116
|
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user