Improve Sqlite3 test

2026-04-24 16:25:15 +02:00 · 2026-02-17 22:16:14 +00:00
parent d4bb92b038
commit 1fa183ee2a
3 changed files with 27 additions and 7 deletions
--- a/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected
+++ b/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected
@@ -0,0 +1,12 @@
+#select
+| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
+edges
+| sqlite3.rb:25:5:25:12 | category | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | provenance | AdditionalTaintStep |
+| sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:25:16:25:32 | ...[...] | provenance |  |
+| sqlite3.rb:25:16:25:32 | ...[...] | sqlite3.rb:25:5:25:12 | category | provenance |  |
+nodes
+| sqlite3.rb:25:5:25:12 | category | semmle.label | category |
+| sqlite3.rb:25:16:25:21 | call to params | semmle.label | call to params |
+| sqlite3.rb:25:16:25:32 | ...[...] | semmle.label | ...[...] |
+| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
+subpaths
--- a/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.qlref
+++ b/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/ruby/ql/test/library-tests/frameworks/sqlite3/sqlite3.rb
+++ b/ruby/ql/test/library-tests/frameworks/sqlite3/sqlite3.rb
@@ -20,12 +20,16 @@ SQLite3::Database.new( "data.db" ) do |db|
 end


-class MyDatabaseWrapper
-      def initialize(filename)
-      @db = SQLite3::Database.new(filename, results_as_hash: true)
-    end
+class SqliteController < ActionController::Base
+  def sqlite3_handler
+    category = params[:category] # $ Source[rb/sql-injection]
+    db = SQLite3::Database.new "test.db"

-    def select_rows(category)
-      @db.execute("select * from table")
-    end
+    # BAD: SQL injection vulnerability
+    db.execute("select * from table where category = '#{category}'") # $ Alert[rb/sql-injection]
+
+    # GOOD: Sanitized by SQLite3::Database.quote
+    sanitized_category = SQLite3::Database.quote(category)
+    db.execute("select * from table where category = '#{sanitized_category}'")
+  end
 end