SQL Injection Code Sample Run

2025-12-16 10:43:05 +01:00 · 2024-12-03 14:32:14 -08:00
parent 75ed1f7b00
commit a2466b0a2d
7 changed files with 315 additions and 111 deletions
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -0,0 +1,34 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id workshop/sqlivulnerable
+ * @problem.severity warning
+ */
+
+import csharp
+
+module MyFlowConfiguration implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(MethodCall call |
+      call.getTarget().getDeclaringType().hasFullyQualifiedName("System", "Console") and
+      call.getTarget().getName() = "ReadLine" and
+      source.asExpr() = call
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(ObjectCreation oc, Expr queryArg |
+      oc.getObjectType().getName() = "SqliteCommand" and
+      oc.getArgument(0) = queryArg and
+      sink.asExpr() = queryArg
+    )
+  }
+}
+
+module Flow = DataFlow::Global<MyFlowConfiguration>;
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink, source, sink, "Dataflow found"