hohn/codeql-javascript-multiflow
1
0
Fork 0
mirror of https://github.com/hohn/codeql-javascript-multiflow.git synced 2025-12-16 12:03:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add single-flow sql injection taint tracking query

Browse Source
This commit is contained in:
Michael Hohn
2023-11-26 19:18:56 -08:00
committed by =Michael Hohn
parent 18b8c9e98c
commit fc09596b45
5 changed files with 219 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
tests/AnySqlInjection/AnySqlInjection.expected Normal file
View File

@@ -0,0 +1,54 @@
nodes
| add-user.js:4:9:4:37 | line |
| add-user.js:4:16:4:37 | stdinBu ... tring() |
| add-user.js:4:16:4:37 | stdinBu ... tring() |
| add-user.js:6:5:6:45 | line |
| add-user.js:6:12:6:15 | line |
| add-user.js:6:12:6:45 | line.re ... gm, "") |
| add-user.js:7:12:7:15 | line |
| add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:16:16:26:10 | new sql ... }) |
| add-user.js:28:12:28:13 | db |
| add-user.js:31:21:31:22 | db |
| add-user.js:31:29:31:32 | info |
| add-user.js:33:11:33:63 | query |
| add-user.js:33:19:33:63 | `INSERT ... nfo}")` |
| add-user.js:33:56:33:59 | info |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:5:35:6 | db |
| add-user.js:35:13:35:17 | query |
| add-user.js:35:13:35:17 | query |
| add-user.js:41:9:41:30 | info |
| add-user.js:41:16:41:30 | get_user_info() |
| add-user.js:43:9:43:25 | db |
| add-user.js:43:14:43:25 | connect_db() |
| add-user.js:44:16:44:17 | db |
| add-user.js:44:24:44:27 | info |
edges
| add-user.js:4:9:4:37 | line | add-user.js:6:12:6:15 | line |
| add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:4:9:4:37 | line |
| add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:4:9:4:37 | line |
| add-user.js:6:5:6:45 | line | add-user.js:7:12:7:15 | line |
| add-user.js:6:12:6:15 | line | add-user.js:6:12:6:45 | line.re ... gm, "") |
| add-user.js:6:12:6:45 | line.re ... gm, "") | add-user.js:6:5:6:45 | line |
| add-user.js:7:12:7:15 | line | add-user.js:41:16:41:30 | get_user_info() |
| add-user.js:16:11:26:10 | db | add-user.js:28:12:28:13 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:16:16:26:10 | new sql ... }) | add-user.js:16:11:26:10 | db |
| add-user.js:28:12:28:13 | db | add-user.js:43:14:43:25 | connect_db() |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:21:31:22 | db | add-user.js:35:5:35:6 | db |
| add-user.js:31:29:31:32 | info | add-user.js:33:56:33:59 | info |
| add-user.js:33:11:33:63 | query | add-user.js:35:13:35:17 | query |
| add-user.js:33:11:33:63 | query | add-user.js:35:13:35:17 | query |
| add-user.js:33:19:33:63 | `INSERT ... nfo}")` | add-user.js:33:11:33:63 | query |
| add-user.js:33:56:33:59 | info | add-user.js:33:19:33:63 | `INSERT ... nfo}")` |
| add-user.js:41:9:41:30 | info | add-user.js:44:24:44:27 | info |
| add-user.js:41:16:41:30 | get_user_info() | add-user.js:41:9:41:30 | info |
| add-user.js:43:9:43:25 | db | add-user.js:44:16:44:17 | db |
| add-user.js:43:14:43:25 | connect_db() | add-user.js:43:9:43:25 | db |
| add-user.js:44:16:44:17 | db | add-user.js:31:21:31:22 | db |
| add-user.js:44:24:44:27 | info | add-user.js:31:29:31:32 | info |
#select
| add-user.js:35:13:35:17 | query | add-user.js:4:16:4:37 | stdinBu ... tring() | add-user.js:35:13:35:17 | query | Sql injected from $@ | add-user.js:4:16:4:37 | stdinBu ... tring() | here |

1
tests/AnySqlInjection/AnySqlInjection.qlref Normal file
View File

@@ -0,0 +1 @@
AnySqlInjection.ql

47
tests/AnySqlInjection/add-user.js Normal file
View File

@@ -0,0 +1,47 @@
function get_user_info() {
var fs = require("fs");
var stdinBuffer = fs.readFileSync(process.stdin.fd);
var line = stdinBuffer.toString();
console.log(line);
line = line.replace(/(\r\n|\n|\r)/gm, "");
return line
}
function get_new_id() {
return Math.floor(Math.random() * 12345);
}
function connect_db() {
const sqlite3 = require('sqlite3').verbose();
const db = new sqlite3.Database(
'users.sqlite',
sqlite3.OPEN_READWRITE | sqlite3.OPEN_FULLMUTEX,
err => {
if (err){
console.log(err);
throw err;
} else {
console.log('DB opened');
}
});
return db;
}
function write_info(db, id, info) {
db.serialize();
const query = `INSERT INTO users VALUES (${id}, "${info}")`;
console.log(query);
db.exec(query);
db.close();
}
let add_user = () => {
console.log("Running add-user");
var info = get_user_info();
var id = get_new_id();
var db = connect_db();
write_info(db, id, info);
}
add_user()