mirror of
https://github.com/hohn/codeql-dataflow-sql-injection.git
synced 2025-12-16 10:13:04 +01:00
40 lines
1.2 KiB
Plaintext
40 lines
1.2 KiB
Plaintext
/**
|
|
* @name SQLI Vulnerability
|
|
* @description Using untrusted strings in a sql query allows sql injection attacks.
|
|
* @kind path-problem
|
|
* @id cpp/SQLIVulnerable
|
|
* @problem.severity warning
|
|
*/
|
|
|
|
import cpp
|
|
import semmle.code.cpp.dataflow.TaintTracking
|
|
import DataFlow::PathGraph
|
|
|
|
class SqliFlowConfig extends TaintTracking::Configuration {
|
|
SqliFlowConfig() { this = "SqliFlow" }
|
|
|
|
override predicate isSource(DataFlow::Node source) {
|
|
// count = read(STDIN_FILENO, buf, BUFSIZE);
|
|
exists(FunctionCall read |
|
|
read.getTarget().getName() = "read" and
|
|
read.getArgument(1) = source.asExpr()
|
|
)
|
|
}
|
|
|
|
override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
|
|
|
|
override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
|
|
|
|
override predicate isSink(DataFlow::Node sink) {
|
|
// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
|
|
exists(FunctionCall exec |
|
|
exec.getTarget().getName() = "sqlite3_exec" and
|
|
exec.getArgument(1) = sink.asExpr()
|
|
)
|
|
}
|
|
}
|
|
|
|
from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
|
|
where conf.hasFlowPath(source, sink)
|
|
select sink, source, sink, "Possible SQL injection"
|