hohn/codeql-workshop-sql-injection-java
1
0
Fork 0
mirror of https://github.com/hohn/codeql-workshop-sql-injection-java.git synced 2025-12-16 18:53:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
query-help
codeql-workshop-sql-injecti…/session/full-query-old-style.ql
Michael Hohn 5ee57f0b58 Make src/ and session/ runnable
2023-08-16 15:04:33 -07:00

45 lines
1.3 KiB
Plaintext
Raw Permalink Blame History

/**
* @name SQLI Vulnerability
* @description Using untrusted strings in a sql query allows sql injection attacks.
* @kind path-problem
* @id cpp/SQLIVulnerable
* @problem.severity warning
*/
import java
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph
class SqliFlowConfig extends TaintTracking::Configuration {
SqliFlowConfig() { this = "SqliFlow" }
override predicate isSource(DataFlow::Node source) {
// System.console().readLine();
exists(Call read |
read.getCallee().getName() = "readLine" and
read = source.asExpr()
)
}
override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
// Extra taint step
// String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
// Not needed here, but may be needed for larger libraries.
none()
}
override predicate isSink(DataFlow::Node sink) {
// conn.createStatement().executeUpdate(query);
exists(Call exec |
exec.getCallee().getName() = "executeUpdate" and
exec.getArgument(0) = sink.asExpr()
)
}
}
from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
where conf.hasFlowPath(source, sink)
select sink, source, sink, "Possible SQL injection"
Reference in New Issue View Git Blame Copy Permalink