hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 12:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add single-flow sql injection taint tracking query

Browse Source
This commit is contained in:
Michael Hohn
2023-11-26 19:18:56 -08:00
committed by =Michael Hohn
parent 18b8c9e98c
commit fc09596b45
5 changed files with 219 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
session/session.ql
View File

@@ -8,12 +8,18 @@ import DataFlow::PathGraph
// Ultimate source
// ----------------
// var line = stdinBuffer.toString();
predicate uSource(MethodCallExpr sbts) { sbts.getMethodName().matches("%toString%") }
Expr uSource(MethodCallExpr sbts) {
sbts.getMethodName().matches("%toString%") and
result = sbts
}
// Ultimate sink
// ----------------
// db.exec(query);
predicate uSink(MethodCallExpr dbe) { dbe.getMethodName().matches("%exec%") }
Expr uSink(MethodCallExpr exec) {
exec.getMethodName() = "exec" and
result = exec.getArgument(0)
}
// Flow sink origin
// ------------------------
@@ -26,15 +32,23 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
FlowSinkOrigin() { this = "FlowSinkOrigin" }
}
class IdentifyFlowSink extends DataFlow::Configuration {
class UltimateFlow extends DataFlow::FlowLabel {
UltimateFlow() { this = "UltimateFlow" }
}
class IdentifyFlowSink extends TaintTracking::Configuration {
IdentifyFlowSink() { this = "IdentifyFlowSink" }
override predicate isSource(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
// const db = new sqlite3.Database(
exists(NewExpr newdb |
newdb.getCalleeName() = "Database" and
nd.asExpr() = newdb
nd.asExpr() = newdb and
lbl instanceof FlowSinkOrigin
)
or
nd.asExpr() = uSource(_) and
lbl instanceof UltimateFlow
}
override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
@@ -42,11 +56,26 @@ class IdentifyFlowSink extends DataFlow::Configuration {
exists(Expr db, MethodCallExpr exec |
exec.getMethodName() = "exec" and
db = exec.getReceiver() and
nd.asExpr() = db
nd.asExpr() = db and
lbl instanceof FlowSinkOrigin
)
or
nd.asExpr() = uSink(_) and
lbl instanceof UltimateFlow
}
}
from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
class UltimateFlowCfg extends TaintTracking::Configuration {
UltimateFlowCfg() { this = "UltimateFlowCfg" }
override predicate isSource(DataFlow::Node nd) { nd.asExpr() = uSource(_) }
override predicate isSink(DataFlow::Node nd) { nd.asExpr() = uSink(_) }
}
// from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
// where cfg.hasFlowPath(source, sink)
// select sink, source, sink, "Database originating $@", source, "here"
from UltimateFlowCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Database originating $@", source, "here"
select sink, source, sink, "Sql injected from $@", source, "here"