mirror of
https://github.com/hohn/codeql-lab.git
synced 2025-12-15 17:43:04 +01:00
61 lines
1.7 KiB
Plaintext
61 lines
1.7 KiB
Plaintext
/**
|
|
* @name introduction workshop
|
|
* @description Sample SQL Injection problem
|
|
* @id test
|
|
* @kind path-problem
|
|
* @problem.severity warning
|
|
*/
|
|
|
|
import java
|
|
import semmle.code.java.dataflow.FlowSources
|
|
import semmle.code.java.dataflow.TaintTracking
|
|
|
|
class ReadLineSource extends Source {
|
|
ReadLineSource() { this.getMethod().hasQualifiedName("java.io", "Console", "readLine") }
|
|
}
|
|
|
|
abstract class Source extends MethodCall { }
|
|
|
|
class Sink extends MethodCall {
|
|
Sink() { this.getMethod().hasQualifiedName("java.sql", "Statement", "executeUpdate") }
|
|
}
|
|
|
|
module MyFlowConfiguration implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node source) {
|
|
//exists(Source s | source.asExpr() = s)
|
|
source.asExpr() instanceof Source
|
|
}
|
|
|
|
predicate isSink(DataFlow::Node sink) {
|
|
exists(Sink sink2 | sink.asExpr() = sink2.getArgument(_))
|
|
//any()
|
|
}
|
|
|
|
predicate isBarrier(DataFlow::Node node) {
|
|
exists(MethodCall s |
|
|
s.getMethod().getName() = "hypotheticalSanitizer" and
|
|
s.getAnArgument() = node.asExpr()
|
|
)
|
|
}
|
|
// predicate isAdditionalFlowStep(DataFlow::Node inNode, DataFlow::Node outNode) {
|
|
// exists(MethodCall mc |
|
|
// outNode.asExpr() = mc and
|
|
// mc.getMethod().hasQualifiedName("java.lang", "String", "format") and
|
|
// inNode.asExpr() = mc.getAnArgument()
|
|
// )
|
|
// // exists(MethodCall mc |
|
|
// // mc.getAnArgument() = inNode.asExpr() and
|
|
// // outNode.asExpr() = mc
|
|
// // )
|
|
// }
|
|
}
|
|
|
|
//purposely does not find the result
|
|
module MyFlow = DataFlow::Global<MyFlowConfiguration>;
|
|
|
|
import MyFlow::PathGraph
|
|
|
|
from MyFlow::PathNode source, MyFlow::PathNode sink
|
|
where MyFlow::flowPath(source, sink)
|
|
select sink, source, sink, "Potential sql injection here "
|