hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Second-order SQL injection

Browse Source
This commit is contained in:
Ed Minnix
2024-02-20 22:19:38 -05:00
parent 1ba3efb111
commit 4dc605354c
6 changed files with 8 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.qhelp
View File

@@ -1,6 +0,0 @@
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<include src="SqlInjection.qhelp" />
</qhelp>

32
csharp/ql/src/Security Features/CWE-089/SecondOrderSqlInjection.ql
View File

@@ -1,32 +0,0 @@
/**
* @name SQL query built from stored user-controlled sources
* @description Building a SQL query from stored user-controlled sources is vulnerable to insertion
* of malicious SQL code by the user.
* @kind path-problem
* @problem.severity error
* @security-severity 8.8
* @precision medium
* @id cs/second-order-sql-injection
* @tags security
* external/cwe/cwe-089
*/
import csharp
import semmle.code.csharp.security.dataflow.SqlInjectionQuery
import semmle.code.csharp.security.dataflow.flowsources.Stored
import StoredSqlInjection::PathGraph
module StoredSqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof StoredFlowSource }
predicate isSink = SqlInjectionConfig::isSink/1;
predicate isBarrier = SqlInjectionConfig::isBarrier/1;
}
module StoredSqlInjection = TaintTracking::Global<StoredSqlInjectionConfig>;
from StoredSqlInjection::PathNode source, StoredSqlInjection::PathNode sink
where StoredSqlInjection::flowPath(source, sink)
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
"stored user-provided value"

2
csharp/ql/src/change-notes/2024-03-11-remove-stored-query-variants.md
View File

@@ -1,5 +1,5 @@
---
category: majorAnalysis
---
* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.
* The `Stored` variants of some queries (`cs/stored-command-line-injection`, `cs/web/stored-xss`, `cs/stored-ldap-injection`, `cs/xml/stored-xpath-injection`. `cs/second-order-sql-injection`) have been removed. If you were using these queries, their results can be restored by enabling the `file` and `database` threat models in your threat model configuration.

56
csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.expected
View File

@@ -1,56 +0,0 @@
edges
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance | |
| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | provenance | |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance | |
| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | provenance | |
| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | provenance | |
| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance | |
| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | provenance | |
| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance | |
| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | provenance | |
| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance | |
| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance | |
| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | provenance | |
| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | provenance | |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance | |
| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | provenance | |
| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | provenance | |
| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | provenance | |
| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | provenance | |
| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | provenance | |
| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | provenance | |
| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | provenance | |
| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance | |
| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | provenance | |
nodes
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | semmle.label | ... + ... |
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | semmle.label | call to method GetString : String |
| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | semmle.label | call to method Trim : String |
| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | semmle.label | access to local variable sql |
| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | semmle.label | object creation of type FileStream : FileStream |
| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | semmle.label | object creation of type StreamReader : StreamReader |
| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | semmle.label | access to local variable fs : FileStream |
| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | semmle.label | access to local variable sr : StreamReader |
| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | semmle.label | call to method ReadLine : String |
| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | semmle.label | access to local variable sql : String |
| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | semmle.label | call to method Trim : String |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | semmle.label | access to local variable sql |
subpaths
#select
| SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString | stored user-provided value |
| SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | This SQL query depends on a $@. | SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream | stored user-provided value |
| SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | This SQL query depends on a $@. | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream | stored user-provided value |

1
csharp/ql/test/query-tests/Security Features/CWE-089/SecondOrderSqlInjection.qlref
View File

@@ -1 +0,0 @@
Security Features/CWE-089/SecondOrderSqlInjection.ql

7
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.ext.yml Normal file
View File

@@ -0,0 +1,7 @@
extensions:
- addsTo:
pack: codeql/threat-models
extensible: threatModelConfiguration
data:
- ["local", true, 0]