hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Added @sap/hdbext.loadProccedure as sql sink.

Browse Source
This commit is contained in:
Napalys
2025-03-25 14:48:40 +01:00
parent e595def8b0
commit 0285cb6c7a
3 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
javascript/ql/lib/ext/hana-db-client.model.yml
View File

@@ -4,5 +4,5 @@ extensions:
extensible: sinkModel
data:
- ["@sap/hana-client", "Member[createConnection].ReturnValue.Member[exec,prepare].Argument[0]", "sql-injection"]
- ["hdb", "Member[createClient].ReturnValue.Member[exec,prepare,execute].Argument[0]", "sql-injection"]
- ["@sap/hdbext", "Member[loadProcedure].Argument[2]", "sql-injection"]

14
javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
View File

@@ -14,6 +14,7 @@
| hana.js:17:35:17:100 | `SELECT ... usInput | hana.js:16:32:16:39 | req.body | hana.js:17:35:17:100 | `SELECT ... usInput | This query string depends on a $@. | hana.js:16:32:16:39 | req.body | user-provided value |
| hana.js:24:33:24:96 | `INSERT ... usInput | hana.js:23:32:23:39 | req.body | hana.js:24:33:24:96 | `INSERT ... usInput | This query string depends on a $@. | hana.js:23:32:23:39 | req.body | user-provided value |
| hana.js:31:31:31:97 | "SELECT ... usInput | hana.js:30:30:30:37 | req.body | hana.js:31:31:31:97 | "SELECT ... usInput | This query string depends on a $@. | hana.js:30:30:30:37 | req.body | user-provided value |
| hana.js:54:38:54:66 | 'PROC_D ... usInput | hana.js:47:24:47:31 | req.body | hana.js:54:38:54:66 | 'PROC_D ... usInput | This query string depends on a $@. | hana.js:47:24:47:31 | req.body | user-provided value |
| hana.js:71:44:71:99 | "INSERT ... usInput | hana.js:68:24:68:31 | req.body | hana.js:71:44:71:99 | "INSERT ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
| hana.js:73:17:73:54 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:73:17:73:54 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
| hana.js:74:17:74:54 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:74:17:74:54 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
@@ -175,6 +176,13 @@ edges
| hana.js:30:13:30:42 | maliciousInput | hana.js:31:84:31:97 | maliciousInput | provenance | |
| hana.js:30:30:30:37 | req.body | hana.js:30:13:30:42 | maliciousInput | provenance | |
| hana.js:31:84:31:97 | maliciousInput | hana.js:31:31:31:97 | "SELECT ... usInput | provenance | |
| hana.js:47:7:47:36 | maliciousInput | hana.js:48:39:48:52 | maliciousInput | provenance | |
| hana.js:47:7:47:36 | maliciousInput | hana.js:50:76:50:89 | maliciousInput | provenance | |
| hana.js:47:7:47:36 | maliciousInput | hana.js:54:53:54:66 | maliciousInput | provenance | |
| hana.js:47:24:47:31 | req.body | hana.js:47:7:47:36 | maliciousInput | provenance | |
| hana.js:48:39:48:52 | maliciousInput | hana.js:50:76:50:89 | maliciousInput | provenance | |
| hana.js:50:76:50:89 | maliciousInput | hana.js:54:53:54:66 | maliciousInput | provenance | |
| hana.js:54:53:54:66 | maliciousInput | hana.js:54:38:54:66 | 'PROC_D ... usInput | provenance | |
| hana.js:68:7:68:36 | maliciousInput | hana.js:71:86:71:99 | maliciousInput | provenance | |
| hana.js:68:7:68:36 | maliciousInput | hana.js:73:41:73:54 | maliciousInput | provenance | |
| hana.js:68:7:68:36 | maliciousInput | hana.js:74:41:74:54 | maliciousInput | provenance | |
@@ -557,6 +565,12 @@ nodes
| hana.js:30:30:30:37 | req.body | semmle.label | req.body |
| hana.js:31:31:31:97 | "SELECT ... usInput | semmle.label | "SELECT ... usInput |
| hana.js:31:84:31:97 | maliciousInput | semmle.label | maliciousInput |
| hana.js:47:7:47:36 | maliciousInput | semmle.label | maliciousInput |
| hana.js:47:24:47:31 | req.body | semmle.label | req.body |
| hana.js:48:39:48:52 | maliciousInput | semmle.label | maliciousInput |
| hana.js:50:76:50:89 | maliciousInput | semmle.label | maliciousInput |
| hana.js:54:38:54:66 | 'PROC_D ... usInput | semmle.label | 'PROC_D ... usInput |
| hana.js:54:53:54:66 | maliciousInput | semmle.label | maliciousInput |
| hana.js:68:7:68:36 | maliciousInput | semmle.label | maliciousInput |
| hana.js:68:24:68:31 | req.body | semmle.label | req.body |
| hana.js:71:44:71:99 | "INSERT ... usInput | semmle.label | "INSERT ... usInput |

4
javascript/ql/test/query-tests/Security/CWE-089/untyped/hana.js
View File

@@ -44,14 +44,14 @@ app1.use(hdbext.middleware(hanaConfig));
app1.get('/execute-query', function (req, res) {
var client = req.db;
let maliciousInput = req.body.data; // $ MISSING: Source
let maliciousInput = req.body.data; // $ Source
client.exec('SELECT * FROM DUMMY' + maliciousInput, function (err, rs) {}); // $ MISSING: Alert
dbStream.createProcStatement(client, 'CALL PROC_DUMMY (?, ?, ?, ?, ?)' + maliciousInput, function (err, stmt) { // $ MISSING: Alert
stmt.exec({ A: maliciousInput, B: 4 }, function (err, params, dummyRows, tablesRows) {}); // maliciousInput is treated as a parameter
});
hdbext.loadProcedure(client, null, 'PROC_DUMMY' + maliciousInput, function(err, sp) { // $ MISSING: Alert
hdbext.loadProcedure(client, null, 'PROC_DUMMY' + maliciousInput, function(err, sp) { // $ Alert
sp(3, maliciousInput, function(err, parameters, dummyRows, tablesRows) {}); // maliciousInput is treated as a parameter
});
});