hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Complete SQL injection barriers implementation with change notes

Browse Source 
Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2025-10-30 16:48:42 +00:00
parent 36dc27c3e7
commit 52a6f5d626
2 changed files with 24 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
View File

@@ -135,19 +135,25 @@ module SqlInjection {
* Holds if `guard` is an OR expression where both operands compare `node` * Holds if `guard` is an OR expression where both operands compare `node`
* with string literals when `branch` is true. * with string literals when `branch` is true.
*/ */
private predicate stringConstCompareOr(CfgNodes::AstCfgNode guard, Cfg::CfgNode node, boolean branch) { private predicate stringConstCompareOr(
exists(LogicalOrExpr orExpr | CfgNodes::AstCfgNode guard, Cfg::CfgNode node, boolean branch
) {
exists(LogicalOrExpr orExpr, EqualsOperation eqLeft, EqualsOperation eqRight |
guard = orExpr.getACfgNode() and guard = orExpr.getACfgNode() and
branch = true and branch = true and
// Both sides of OR must be string constant comparisons of the same node eqLeft.getACfgNode() = orExpr.getLhs().getACfgNode() and
stringConstCompare(orExpr.getLhs().getACfgNode(), node, true) and eqRight.getACfgNode() = orExpr.getRhs().getACfgNode() and
stringConstCompare(orExpr.getRhs().getACfgNode(), node, true) and // Both sides must compare the same node against string literals
// Ensure both sides compare the same node (
exists(Cfg::CfgNode leftNode, Cfg::CfgNode rightNode | node = eqLeft.getLhs().getACfgNode() and
stringConstCompare(orExpr.getLhs().getACfgNode(), leftNode, true) and node = eqRight.getLhs().getACfgNode() and
stringConstCompare(orExpr.getRhs().getACfgNode(), rightNode, true) and eqLeft.getRhs() instanceof StringLiteralExpr and
leftNode = rightNode and eqRight.getRhs() instanceof StringLiteralExpr
leftNode = node or
node = eqLeft.getRhs().getACfgNode() and
node = eqRight.getRhs().getACfgNode() and
eqLeft.getLhs() instanceof StringLiteralExpr and
eqRight.getLhs() instanceof StringLiteralExpr
) )
) )
} }

7
rust/ql/src/change-notes/2025-10-30-sql-injection-barriers.md Normal file
View File

@@ -0,0 +1,7 @@
---
category: minorAnalysis
---
* The `rust/sql-injection` query now includes taint flow barriers to reduce false positives. Specifically:
* Data parsed to numeric types (e.g., `.parse::<i32>()`) is now recognized as safe.
* Data validated against one or more constant string values (e.g., `if x == "admin"` or `if x == "user" || x == "guest"`) is now recognized as safe within the validated branch.
* Data validated using collection membership checks against string literals (e.g., `if ["admin", "user"].contains(&x)`) is now recognized as safe within the validated branch.