hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-18 19:13:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: hohn:workshop-20250218
Branches Tags
hohn:master hohn:workshop-20250218
hohn:db-for-analysis hohn:presentation-1
..
compare: hohn:master
Branches Tags
hohn:master hohn:workshop-20250218
hohn:db-for-analysis hohn:presentation-1

4 Commits
workshop-2 ... master

Author SHA1 Message Date
Michael Hohn
bc7cda5274 update from pre/postUpdate node to new forms 2025-03-05 11:12:35 -08:00
Michael Hohn
bf69cb0f45 comment isAdditionalFlowStep--no longer needed 2025-03-03 12:08:36 -08:00
Michael Hohn
684b4c145a fix flow indirection 2025-03-03 12:04:02 -08:00
Michael Hohn
7ec8b18eac db 2025-03-03 11:59:42 -08:00
3 changed files with 24 additions and 97 deletions
Expand all files Collapse all files

33
SqlInjection.ql
View File

@@ -1,10 +1,10 @@
/** /**
* @name SQLI Vulnerability * @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks. * @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem * @kind path-problem
* @id cpp/sqlivulnerable * @id cpp/sqlivulnerable
* @problem.severity warning * @problem.severity warning
*/ */
import cpp import cpp
import semmle.code.cpp.dataflow.new.TaintTracking import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,33 +15,17 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
// count = read(STDIN_FILENO, buf, BUFSIZE); // count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read | exists(FunctionCall read |
read.getTarget().getName() = "read" and read.getTarget().getName() = "read" and
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() read.getArgument(1) = source.asDefiningArgument()
) )
} }
predicate isBarrier(DataFlow::Node sanitizer) { none() } predicate isBarrier(DataFlow::Node sanitizer) { none() }
predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
// But snprintf is a macro on mac os. The actual function's name is
// #undef snprintf
// #define snprintf(str, len, ...) \
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
// #endif
exists(FunctionCall printf |
printf.getTarget().getName().matches("%snprintf%") and
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
// very specific: shifted index for macro.
printf.getArgument(6) = into.asExpr()
)
}
predicate isSink(DataFlow::Node sink) { predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec | exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asExpr() exec.getArgument(1) = sink.asIndirectArgument()
) )
} }
} }
@@ -52,3 +36,4 @@ import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink) where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection" select sink, source, sink, "Possible SQL injection"

BIN
cpp-sqli-3fe610d-1.zip (Stored with Git LFS) Normal file
View File

Binary file not shown.

85
session.ql
View File

@@ -1,90 +1,29 @@
/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/sqlivulnerable
* @problem.severity warning
*/
import cpp import cpp
// 1. invalid input -- source // 1. invalid input -- source
// count = read(STDIN_FILENO, buf, BUFSIZE - 1); // count = read(STDIN_FILENO, buf, BUFSIZE - 1);
// //
class DataSource extends VariableAccess {
DataSource() {
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = this
)
}
}
// from DataSource buf
// select buf
// 2. gets to a sql statement -- flow // 2. gets to a sql statement -- flow
// flow config // flow config
// //
// 3. drops table -- sink // 3. drops table -- sink
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg); // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
class DataSink extends Expr {
DataSink() {
exists(FunctionCall read |
read.getTarget().getName() = "sqlite3_exec" and
read.getArgument(1) = this
)
}
}
// from DataSource ds
// select ds
// from FunctionCall exec, Expr query
// where exec.getTarget().getName() = "sqlite3_exec" and
// exec.getArgument(1) = query
// select query
// from StmtParent st
// where not (st instanceof VariableAccess)
// select st
// All predicates and classes are using one of: // All predicates and classes are using one of:
// AST Abstract syntax tree // AST Abstract syntax tree
// CFG Control flow graph // CFG Control flow graph
// DFG Data flow graph // DFG Data flow graph
// Type hierarchy // Type hierarchy
// class DataSource extends VariableAccess {
DataSource() {
exists(FunctionCall read |
import semmle.code.cpp.dataflow.new.TaintTracking read.getTarget().getName() = "read" and
read.getArgument(1) = this
)
module SqliFlowConfig implements DataFlow::ConfigSig { }
predicate isSource(DataFlow::Node source) {
exists(DataSource ds |
source.asExpr() = ds
)
}
predicate isSink(DataFlow::Node sink) {
exists(DataSink ds |
sink.asExpr() = ds
)
}
} }
from FunctionCall read, VariableAccess buf
module MyFlow = TaintTracking::Global<SqliFlowConfig>; where
import MyFlow::PathGraph read.getTarget().getName() = "read" and
read.getArgument(1) = buf
from MyFlow::PathNode source, MyFlow::PathNode sink select buf
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Possible SQL injection"