mirror of
https://github.com/github/codeql.git
synced 2026-04-24 08:15:14 +02:00
fp case if encrypt set in initializer
This commit is contained in:
Chanel Young
@@ -32,6 +32,11 @@ module InsecureSqlConnectionConfig implements DataFlow::ConfigSig {
|
||||
oc.getType().getName() = "SqlConnectionStringBuilder"
|
||||
or
|
||||
oc.getType().getName() = "SqlConnection"
|
||||
) and
|
||||
not exists(MemberInitializer mi |
|
||||
mi = oc.getInitializer().(ObjectInitializer).getAMemberInitializer() and
|
||||
mi.getLValue().(PropertyAccess).getTarget().getName() = "Encrypt" and
|
||||
mi.getRValue().(BoolLiteral).getValue() = "true"
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
@@ -29,9 +29,15 @@ namespace InsecureSQLConnection
|
||||
conBuilder.Encrypt = true;
|
||||
SqlConnection conn = new SqlConnection();
|
||||
conn.ConnectionString = conBuilder.ToString();
|
||||
|
||||
}
|
||||
|
||||
public void StringInInitializer()
|
||||
{
|
||||
string connectString = "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false";
|
||||
SqlConnectionStringBuilder conBuilder = new SqlConnectionStringBuilder(connectString) { Encrypt = true};
|
||||
}
|
||||
|
||||
|
||||
public void TriggerThis()
|
||||
{
|
||||
// BAD, Encrypt not specified
|
||||
|
||||
@@ -1,18 +1,18 @@
|
||||
edges
|
||||
| InsecureSQLConnection.cs:43:20:43:32 | access to local variable connectString : String | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | provenance | |
|
||||
| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:43:20:43:32 | access to local variable connectString : String | provenance | |
|
||||
| InsecureSQLConnection.cs:52:20:52:32 | access to local variable connectString : String | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | provenance | |
|
||||
| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:52:20:52:32 | access to local variable connectString : String | provenance | |
|
||||
| InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | provenance | |
|
||||
| InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | provenance | |
|
||||
| InsecureSQLConnection.cs:58:20:58:32 | access to local variable connectString : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | provenance | |
|
||||
| InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:58:20:58:32 | access to local variable connectString : String | provenance | |
|
||||
nodes
|
||||
| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | semmle.label | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" |
|
||||
| InsecureSQLConnection.cs:43:20:43:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
|
||||
| InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String |
|
||||
| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | semmle.label | access to local variable connectString |
|
||||
| InsecureSQLConnection.cs:52:20:52:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
|
||||
| InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String |
|
||||
| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | semmle.label | access to local variable connectString |
|
||||
| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | semmle.label | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" |
|
||||
| InsecureSQLConnection.cs:49:20:49:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
|
||||
| InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String |
|
||||
| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | semmle.label | access to local variable connectString |
|
||||
| InsecureSQLConnection.cs:58:20:58:32 | access to local variable connectString : String | semmle.label | access to local variable connectString : String |
|
||||
| InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | semmle.label | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String |
|
||||
| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | semmle.label | access to local variable connectString |
|
||||
subpaths
|
||||
#select
|
||||
| InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:38:52:38:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string |
|
||||
| InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:46:81:46:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:17:44:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string |
|
||||
| InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:55:81:55:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:53:17:53:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string |
|
||||
| InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:44:52:44:128 | "Server=myServerName\\myInstanceName;Database=myDataBase;User Id=myUsername;" | Connection string |
|
||||
| InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" : String | InsecureSQLConnection.cs:52:81:52:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:50:17:50:64 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd" | Connection string |
|
||||
| InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" : String | InsecureSQLConnection.cs:61:81:61:93 | access to local variable connectString | $@ flows to this SQL connection and does not specify `Encrypt=True`. | InsecureSQLConnection.cs:59:17:59:78 | "Server=1.2.3.4;Database=Anything;UID=ab;Pwd=cd;Encrypt=false" | Connection string |
|
||||
|
||||
Reference in New Issue
Block a user