mirror of
https://github.com/hohn/codeql-dataflow-sql-injection.git
synced 2025-12-18 11:03:04 +01:00
Compare commits
4 Commits
workshop-2
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
bc7cda5274 | ||
|
|
bf69cb0f45 | ||
|
|
684b4c145a | ||
|
|
7ec8b18eac |
@@ -15,33 +15,17 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
|
||||
// count = read(STDIN_FILENO, buf, BUFSIZE);
|
||||
exists(FunctionCall read |
|
||||
read.getTarget().getName() = "read" and
|
||||
read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
|
||||
read.getArgument(1) = source.asDefiningArgument()
|
||||
)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node sanitizer) { none() }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
|
||||
// Extra taint step
|
||||
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
|
||||
// But snprintf is a macro on mac os. The actual function's name is
|
||||
// #undef snprintf
|
||||
// #define snprintf(str, len, ...) \
|
||||
// __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
|
||||
// #endif
|
||||
exists(FunctionCall printf |
|
||||
printf.getTarget().getName().matches("%snprintf%") and
|
||||
printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
|
||||
// very specific: shifted index for macro.
|
||||
printf.getArgument(6) = into.asExpr()
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
||||
exists(FunctionCall exec |
|
||||
exec.getTarget().getName() = "sqlite3_exec" and
|
||||
exec.getArgument(1) = sink.asExpr()
|
||||
exec.getArgument(1) = sink.asIndirectArgument()
|
||||
)
|
||||
}
|
||||
}
|
||||
@@ -52,3 +36,4 @@ import MyFlow::PathGraph
|
||||
from MyFlow::PathNode source, MyFlow::PathNode sink
|
||||
where MyFlow::flowPath(source, sink)
|
||||
select sink, source, sink, "Possible SQL injection"
|
||||
|
||||
|
||||
BIN
cpp-sqli-3fe610d-1.zip
(Stored with Git LFS)
Normal file
BIN
cpp-sqli-3fe610d-1.zip
(Stored with Git LFS)
Normal file
Binary file not shown.
91
session.ql
91
session.ql
@@ -1,17 +1,18 @@
|
||||
/**
|
||||
* @name SQLI Vulnerability
|
||||
* @description Using untrusted strings in a sql query allows sql injection attacks.
|
||||
* @kind path-problem
|
||||
* @id cpp/sqlivulnerable
|
||||
* @problem.severity warning
|
||||
*/
|
||||
|
||||
import cpp
|
||||
|
||||
// 1. invalid input -- source
|
||||
// count = read(STDIN_FILENO, buf, BUFSIZE - 1);
|
||||
//
|
||||
|
||||
// 2. gets to a sql statement -- flow
|
||||
// flow config
|
||||
//
|
||||
// 3. drops table -- sink
|
||||
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
||||
// All predicates and classes are using one of:
|
||||
// AST Abstract syntax tree
|
||||
// CFG Control flow graph
|
||||
// DFG Data flow graph
|
||||
// Type hierarchy
|
||||
class DataSource extends VariableAccess {
|
||||
DataSource() {
|
||||
exists(FunctionCall read |
|
||||
@@ -21,70 +22,8 @@ class DataSource extends VariableAccess {
|
||||
}
|
||||
}
|
||||
|
||||
// from DataSource buf
|
||||
// select buf
|
||||
|
||||
// 2. gets to a sql statement -- flow
|
||||
// flow config
|
||||
//
|
||||
// 3. drops table -- sink
|
||||
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
||||
|
||||
|
||||
class DataSink extends Expr {
|
||||
DataSink() {
|
||||
exists(FunctionCall read |
|
||||
read.getTarget().getName() = "sqlite3_exec" and
|
||||
read.getArgument(1) = this
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
// from DataSource ds
|
||||
// select ds
|
||||
|
||||
|
||||
// from FunctionCall exec, Expr query
|
||||
// where exec.getTarget().getName() = "sqlite3_exec" and
|
||||
// exec.getArgument(1) = query
|
||||
// select query
|
||||
// from StmtParent st
|
||||
// where not (st instanceof VariableAccess)
|
||||
// select st
|
||||
|
||||
|
||||
|
||||
// All predicates and classes are using one of:
|
||||
// AST Abstract syntax tree
|
||||
// CFG Control flow graph
|
||||
// DFG Data flow graph
|
||||
// Type hierarchy
|
||||
//
|
||||
|
||||
|
||||
import semmle.code.cpp.dataflow.new.TaintTracking
|
||||
|
||||
|
||||
module SqliFlowConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(DataSource ds |
|
||||
source.asExpr() = ds
|
||||
)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(DataSink ds |
|
||||
sink.asExpr() = ds
|
||||
)
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
module MyFlow = TaintTracking::Global<SqliFlowConfig>;
|
||||
import MyFlow::PathGraph
|
||||
|
||||
from MyFlow::PathNode source, MyFlow::PathNode sink
|
||||
where MyFlow::flowPath(source, sink)
|
||||
select sink, source, sink, "Possible SQL injection"
|
||||
from FunctionCall read, VariableAccess buf
|
||||
where
|
||||
read.getTarget().getName() = "read" and
|
||||
read.getArgument(1) = buf
|
||||
select buf
|
||||
|
||||
Reference in New Issue
Block a user