hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 19:26:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Use isAdditionalBarrier in the SqlTainted query.

Browse Source
This commit is contained in:
Geoffrey White
2021-01-05 11:32:29 +00:00
parent 69efe7a72a
commit 18890c4a77
3 changed files with 3 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
View File

@@ -27,6 +27,8 @@ class Configuration extends TaintTrackingConfiguration {
override predicate isSink(Element tainted) {
exists(SQLLikeFunction runSql | runSql.outermostWrapperFunctionCall(tainted, _))
}
override predicate isAdditionalBarrier(Expr e) { e.getUnspecifiedType() instanceof IntegralType }
}
from

10
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
View File

@@ -3,21 +3,11 @@ edges
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
| test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
nodes
| test.c:15:20:15:23 | argv | semmle.label | argv |
| test.c:15:20:15:23 | argv | semmle.label | argv |
| test.c:16:25:16:28 | argv | semmle.label | argv |
| test.c:16:25:16:28 | argv | semmle.label | argv |
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:21:18:21:23 | query1 | semmle.label | query1 |
| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:33:18:33:23 | query3 | semmle.label | query3 |
#select
| test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
| test.c:33:18:33:23 | query3 | test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:16:25:16:28 | argv | user input (argv) |

2
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
View File

@@ -30,5 +30,5 @@ int main(int argc, char** argv) {
// an integer from the user is injected into an SQL query.
char query3[1000] = {0};
snprintf(query3, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
mysql_query(0, query3); // BAD [FALSE POSITIVE]
mysql_query(0, query3); // BAD
}