hohn/codeql-dataflow-sql-injection
1
0
Fork 0
mirror of https://github.com/hohn/codeql-dataflow-sql-injection.git synced 2025-12-16 18:23:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
45a5e893663f5c41b7c0705a3cac3a6bb86e17a3
codeql-dataflow-sql-injection/SqlInjection.ql

45 lines
1.4 KiB
Plaintext
Raw Blame History

/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/SQLIVulnerable
* @problem.severity warning
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
class SqliFlowConfig extends TaintTracking::Configuration {
SqliFlowConfig() { this = "SqliFlow" }
override predicate isSource(DataFlow::Node source) {
// count = read(STDIN_FILENO, buf, BUFSIZE);
exists(FunctionCall read |
read.getTarget().getName() = "read" and
read.getArgument(1) = source.asExpr()
)
}
override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
override predicate isSink(DataFlow::Node sink) {
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
exists(FunctionCall exec |
exec.getTarget().getName() = "sqlite3_exec" and
exec.getArgument(1) = sink.asExpr()
)
}
}
// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
// where conf.hasFlowPath(source, sink)
// select sink, source, sink, "Possible SQL injection"
// Extra taint step
// snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
from FunctionCall printf, DataFlow::Node into, DataFlow::Node out
where printf.getTarget().getName() = "snprintf"
Reference in New Issue View Git Blame Copy Permalink