mirror of
https://github.com/hohn/codeql-lab.git
synced 2025-12-15 17:43:04 +01:00
54 lines
1.5 KiB
Plaintext
54 lines
1.5 KiB
Plaintext
/**
|
|
* @name SQLI Vulnerability
|
|
* @description Using untrusted strings in a sql query allows sql injection attacks.
|
|
* @kind path-problem
|
|
* @id cpp/SQLIVulnerable
|
|
* @problem.severity warning
|
|
*/
|
|
|
|
import java
|
|
import semmle.code.java.dataflow.TaintTracking
|
|
import semmle.code.java.dataflow.DataFlow
|
|
|
|
/**
|
|
* A global data-flow configuration using modules
|
|
*/
|
|
// Note result differences between
|
|
module InputToSQL = TaintTracking::Global<SqliFlowConfig>;
|
|
// and
|
|
// module InputToSQL = DataFlow::Global<SqliFlowConfig>;
|
|
|
|
module SqliFlowConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node source) {
|
|
// System.console().readLine();
|
|
exists(Call read |
|
|
read.getCallee().getName() = "readLine" and
|
|
read = source.asExpr()
|
|
)
|
|
}
|
|
|
|
predicate isSink(DataFlow::Node sink) {
|
|
// conn.createStatement().executeUpdate(query);
|
|
exists(Call exec |
|
|
exec.getCallee().getName() = "executeUpdate" and
|
|
exec.getArgument(0) = sink.asExpr()
|
|
)
|
|
}
|
|
|
|
// predicate isSanitizer(DataFlow::Node sanitizer) { none() }
|
|
|
|
// predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
|
|
// // Extra taint step
|
|
// // String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
|
|
// // Not needed here, but may be needed for larger libraries.
|
|
// none()
|
|
// }
|
|
}
|
|
|
|
// To construct the paths between sources and sinks.
|
|
import InputToSQL::PathGraph
|
|
|
|
from InputToSQL::PathNode source, InputToSQL::PathNode sink
|
|
where InputToSQL::flowPath(source, sink)
|
|
select sink, source, sink, "Possible SQL injection"
|