From 10f707ccdee113e01ed9c453914ce5195358c7f3 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 16 Aug 2023 15:38:22 -0700 Subject: [PATCH] Add new module-based query --- session/README.org | 54 ++----------------------------------------- session/full-query.ql | 53 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 52 deletions(-) create mode 100644 session/full-query.ql diff --git a/session/README.org b/session/README.org index 68b2397..78796fe 100644 --- a/session/README.org +++ b/session/README.org @@ -15,59 +15,9 @@ expression, the =query= argument. Again start from =from..where..select=, then convert to a predicate. - 3. Fill in the /taintflow configuration/ boilerplate - #+BEGIN_SRC java - class SqliFlowConfig extends TaintTracking::Configuration { - SqliFlowConfig() { this = "SqliFlow" } + 3. Fill in the /taintflow configuration/ boilerplate. - override predicate isSource(DataFlow::Node node) { - none() - } - - override predicate isSink(DataFlow::Node node) { - none() - } - } - #+END_SRC - - The final query (without =isAdditionalTaintStep=) is - #+BEGIN_SRC java - /** - ,* @name SQLI Vulnerability - ,* @description Using untrusted strings in a sql query allows sql injection attacks. - ,* @kind path-problem - ,* @id java/SQLIVulnerable - ,* @problem.severity warning - ,*/ - - import java - import semmle.code.java.dataflow.TaintTracking - import DataFlow::PathGraph - - class SqliFlowConfig extends TaintTracking::Configuration { - SqliFlowConfig() { this = "SqliFlow" } - - override predicate isSource(DataFlow::Node source) { - // System.console().readLine(); - exists(Call read | - read.getCallee().getName() = "readLine" and - read = source.asExpr() - ) - } - - override predicate isSink(DataFlow::Node sink) { - // conn.createStatement().executeUpdate(query); - exists(Call exec | - exec.getCallee().getName() = "executeUpdate" and - exec.getArgument(0) = sink.asExpr() - ) - } - } - - from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink - where conf.hasFlowPath(source, sink) - select sink, source, sink, "Possible SQL injection" - #+END_SRC + The final query is in [[./full-query.ql]] ** (optional) Review of the results via SARIF file Query results are available in several output formats using the cli. The diff --git a/session/full-query.ql b/session/full-query.ql new file mode 100644 index 0000000..730be72 --- /dev/null +++ b/session/full-query.ql @@ -0,0 +1,53 @@ +/** + * @name SQLI Vulnerability + * @description Using untrusted strings in a sql query allows sql injection attacks. + * @kind path-problem + * @id cpp/SQLIVulnerable + * @problem.severity warning + */ + +import java +import semmle.code.java.dataflow.TaintTracking +import semmle.code.java.dataflow.DataFlow + +/** + * A global data-flow configuration using modules + */ +// Note result differences between +module InputToSQL = TaintTracking::Global; +// and +// module InputToSQL = DataFlow::Global; + +module SqliFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + // System.console().readLine(); + exists(Call read | + read.getCallee().getName() = "readLine" and + read = source.asExpr() + ) + } + + predicate isSink(DataFlow::Node sink) { + // conn.createStatement().executeUpdate(query); + exists(Call exec | + exec.getCallee().getName() = "executeUpdate" and + exec.getArgument(0) = sink.asExpr() + ) + } + + // predicate isSanitizer(DataFlow::Node sanitizer) { none() } + + // predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) { + // // Extra taint step + // // String.format("INSERT INTO users VALUES (%d, '%s')", id, info); + // // Not needed here, but may be needed for larger libraries. + // none() + // } +} + +// To construct the paths between sources and sinks. +import InputToSQL::PathGraph + +from InputToSQL::PathNode source, InputToSQL::PathNode sink +where InputToSQL::flowPath(source, sink) +select sink, source, sink, "Possible SQL injection"