hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

C#: Add NHibernate SQL injection tests

Browse Source
This commit is contained in:
Tom Hvitved
2025-12-11 13:14:44 +01:00
parent fac84ee9f3
commit 776f6cd56f
3 changed files with 105 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjection.expected
View File

@@ -17,6 +17,9 @@
| SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | SqlInjectionDapper.cs:58:42:58:46 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:57:86:57:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:67:42:67:46 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | this TextBox text |
| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | This query depends on $@. | SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | this TextBox text |
| SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | This query depends on $@. | SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | This query depends on $@. | SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | This query depends on $@. | SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | this ASP.NET user input |
| SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | This query depends on $@. | SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | this ASP.NET user input |
@@ -27,43 +30,43 @@
edges
| SecondOrderSqlInjection.cs:20:31:20:44 | access to local variable customerReader : SqlDataReader | SecondOrderSqlInjection.cs:25:119:25:132 | access to local variable customerReader : SqlDataReader | provenance | |
| SecondOrderSqlInjection.cs:20:48:20:78 | call to method ExecuteReader : SqlDataReader | SecondOrderSqlInjection.cs:20:31:20:44 | access to local variable customerReader : SqlDataReader | provenance | |
| SecondOrderSqlInjection.cs:25:119:25:132 | access to local variable customerReader : SqlDataReader | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | provenance | MaD:23 |
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance | Sink:MaD:15 |
| SecondOrderSqlInjection.cs:25:119:25:132 | access to local variable customerReader : SqlDataReader | SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | provenance | MaD:26 |
| SecondOrderSqlInjection.cs:25:119:25:145 | call to method GetString : String | SecondOrderSqlInjection.cs:25:71:25:145 | ... + ... | provenance | Sink:MaD:18 |
| SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | provenance | |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance | Src:MaD:19 |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance | Src:MaD:18 |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance | Src:MaD:22 |
| SecondOrderSqlInjection.cs:33:36:33:78 | object creation of type FileStream : FileStream | SecondOrderSqlInjection.cs:33:31:33:32 | access to local variable fs : FileStream | provenance | Src:MaD:21 |
| SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | provenance | |
| SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | SecondOrderSqlInjection.cs:35:37:35:38 | access to local variable sr : StreamReader | provenance | |
| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance | MaD:25 |
| SecondOrderSqlInjection.cs:35:59:35:60 | access to local variable fs : FileStream | SecondOrderSqlInjection.cs:35:42:35:76 | object creation of type StreamReader : StreamReader | provenance | MaD:28 |
| SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | provenance | |
| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance | MaD:26 |
| SecondOrderSqlInjection.cs:38:35:38:36 | access to local variable sr : StreamReader | SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | provenance | MaD:29 |
| SecondOrderSqlInjection.cs:38:35:38:47 | call to method ReadLine : String | SecondOrderSqlInjection.cs:38:29:38:31 | access to local variable sql : String | provenance | |
| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance | Sink:MaD:10 |
| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance | MaD:28 |
| SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | SecondOrderSqlInjection.cs:45:57:45:59 | access to local variable sql | provenance | Sink:MaD:13 |
| SecondOrderSqlInjection.cs:40:31:40:33 | access to local variable sql : String | SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | provenance | MaD:31 |
| SecondOrderSqlInjection.cs:40:31:40:40 | call to method Trim : String | SecondOrderSqlInjection.cs:40:25:40:27 | access to local variable sql : String | provenance | |
| SqlInjection.cs:37:21:37:26 | access to local variable query1 : String | SqlInjection.cs:39:50:39:55 | access to local variable query1 | provenance | Sink:MaD:17 |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:38:21:38:40 | access to property Text : String | provenance | MaD:27 |
| SqlInjection.cs:37:21:37:26 | access to local variable query1 : String | SqlInjection.cs:39:50:39:55 | access to local variable query1 | provenance | Sink:MaD:20 |
| SqlInjection.cs:38:21:38:35 | access to field categoryTextBox : TextBox | SqlInjection.cs:38:21:38:40 | access to property Text : String | provenance | MaD:30 |
| SqlInjection.cs:38:21:38:40 | access to property Text : String | SqlInjection.cs:37:21:37:26 | access to local variable query1 : String | provenance | |
| SqlInjection.cs:72:25:72:30 | access to local variable query1 : String | SqlInjection.cs:74:56:74:61 | access to local variable query1 | provenance | Sink:MaD:7 |
| SqlInjection.cs:72:25:72:30 | access to local variable query1 : String | SqlInjection.cs:75:55:75:60 | access to local variable query1 | provenance | Sink:MaD:8 |
| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:73:33:73:52 | access to property Text : String | provenance | MaD:27 |
| SqlInjection.cs:72:25:72:30 | access to local variable query1 : String | SqlInjection.cs:74:56:74:61 | access to local variable query1 | provenance | Sink:MaD:10 |
| SqlInjection.cs:72:25:72:30 | access to local variable query1 : String | SqlInjection.cs:75:55:75:60 | access to local variable query1 | provenance | Sink:MaD:11 |
| SqlInjection.cs:73:33:73:47 | access to field categoryTextBox : TextBox | SqlInjection.cs:73:33:73:52 | access to property Text : String | provenance | MaD:30 |
| SqlInjection.cs:73:33:73:52 | access to property Text : String | SqlInjection.cs:72:25:72:30 | access to local variable query1 : String | provenance | |
| SqlInjection.cs:86:21:86:26 | access to local variable query1 : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 | provenance | Sink:MaD:17 |
| SqlInjection.cs:86:21:86:26 | access to local variable query1 : String | SqlInjection.cs:88:50:88:55 | access to local variable query1 | provenance | Sink:MaD:20 |
| SqlInjection.cs:87:21:87:29 | access to property Text : String | SqlInjection.cs:86:21:86:26 | access to local variable query1 : String | provenance | |
| SqlInjection.cs:96:21:96:31 | access to local variable queryString : String | SqlInjection.cs:98:42:98:52 | access to local variable queryString | provenance | Sink:MaD:14 |
| SqlInjection.cs:96:21:96:31 | access to local variable queryString : String | SqlInjection.cs:98:42:98:52 | access to local variable queryString | provenance | Sink:MaD:17 |
| SqlInjection.cs:96:21:96:31 | access to local variable queryString : String | SqlInjection.cs:98:42:98:52 | access to local variable queryString : String | provenance | |
| SqlInjection.cs:97:21:97:29 | access to property Text : String | SqlInjection.cs:96:21:96:31 | access to local variable queryString : String | provenance | |
| SqlInjection.cs:98:21:98:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:99:50:99:52 | access to local variable cmd | provenance | Sink:MaD:16 |
| SqlInjection.cs:98:21:98:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:99:50:99:52 | access to local variable cmd | provenance | Sink:MaD:19 |
| SqlInjection.cs:98:27:98:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:98:21:98:23 | access to local variable cmd : SqlCommand | provenance | |
| SqlInjection.cs:98:42:98:52 | access to local variable queryString : String | SqlInjection.cs:98:27:98:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:22 |
| SqlInjection.cs:107:21:107:31 | access to local variable queryString : String | SqlInjection.cs:109:42:109:52 | access to local variable queryString | provenance | Sink:MaD:14 |
| SqlInjection.cs:98:42:98:52 | access to local variable queryString : String | SqlInjection.cs:98:27:98:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:25 |
| SqlInjection.cs:107:21:107:31 | access to local variable queryString : String | SqlInjection.cs:109:42:109:52 | access to local variable queryString | provenance | Sink:MaD:17 |
| SqlInjection.cs:107:21:107:31 | access to local variable queryString : String | SqlInjection.cs:109:42:109:52 | access to local variable queryString : String | provenance | |
| SqlInjection.cs:108:21:108:38 | call to method ReadLine : String | SqlInjection.cs:107:21:107:31 | access to local variable queryString : String | provenance | Src:MaD:20 |
| SqlInjection.cs:109:21:109:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:110:50:110:52 | access to local variable cmd | provenance | Sink:MaD:16 |
| SqlInjection.cs:108:21:108:38 | call to method ReadLine : String | SqlInjection.cs:107:21:107:31 | access to local variable queryString : String | provenance | Src:MaD:23 |
| SqlInjection.cs:109:21:109:23 | access to local variable cmd : SqlCommand | SqlInjection.cs:110:50:110:52 | access to local variable cmd | provenance | Sink:MaD:19 |
| SqlInjection.cs:109:27:109:53 | object creation of type SqlCommand : SqlCommand | SqlInjection.cs:109:21:109:23 | access to local variable cmd : SqlCommand | provenance | |
| SqlInjection.cs:109:42:109:52 | access to local variable queryString : String | SqlInjection.cs:109:27:109:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:22 |
| SqlInjection.cs:109:42:109:52 | access to local variable queryString : String | SqlInjection.cs:109:27:109:53 | object creation of type SqlCommand : SqlCommand | provenance | MaD:25 |
| SqlInjection.cs:122:73:122:78 | userId : String | SqlInjection.cs:125:20:125:24 | access to local variable query : String | provenance | |
| SqlInjection.cs:125:20:125:24 | access to local variable query : String | SqlInjection.cs:129:53:129:57 | access to local variable query | provenance | Sink:MaD:15 |
| SqlInjection.cs:125:20:125:24 | access to local variable query : String | SqlInjection.cs:129:53:129:57 | access to local variable query | provenance | Sink:MaD:18 |
| SqlInjectionDapper.cs:20:21:20:25 | access to local variable query : String | SqlInjectionDapper.cs:21:55:21:59 | access to local variable query | provenance | Sink:MaD:4 |
| SqlInjectionDapper.cs:20:86:20:94 | access to property Text : String | SqlInjectionDapper.cs:20:21:20:25 | access to local variable query : String | provenance | |
| SqlInjectionDapper.cs:29:21:29:25 | access to local variable query : String | SqlInjectionDapper.cs:30:66:30:70 | access to local variable query | provenance | Sink:MaD:5 |
@@ -78,27 +81,36 @@ edges
| SqlInjectionDapper.cs:66:86:66:94 | access to property Text : String | SqlInjectionDapper.cs:66:21:66:25 | access to local variable query : String | provenance | |
| SqlInjectionDapper.cs:75:21:75:25 | access to local variable query : String | SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | provenance | |
| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | SqlInjectionDapper.cs:75:21:75:25 | access to local variable query : String | provenance | |
| SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | provenance | MaD:27 Sink:MaD:9 |
| SqlInjectionSqlite.cs:24:17:24:19 | access to local variable cmd : SQLiteCommand | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | provenance | Sink:MaD:11 |
| SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | provenance | MaD:30 Sink:MaD:8 |
| SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | provenance | MaD:30 Sink:MaD:9 |
| SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | provenance | MaD:30 Sink:MaD:7 |
| SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | provenance | MaD:30 Sink:MaD:8 |
| SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | provenance | MaD:30 Sink:MaD:9 |
| SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | provenance | MaD:30 Sink:MaD:7 |
| SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | provenance | MaD:30 Sink:MaD:8 |
| SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | provenance | MaD:30 Sink:MaD:9 |
| SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | provenance | MaD:30 Sink:MaD:7 |
| SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | provenance | MaD:30 Sink:MaD:12 |
| SqlInjectionSqlite.cs:24:17:24:19 | access to local variable cmd : SQLiteCommand | SqlInjectionSqlite.cs:44:45:44:47 | access to local variable cmd | provenance | Sink:MaD:14 |
| SqlInjectionSqlite.cs:24:23:24:71 | object creation of type SQLiteCommand : SQLiteCommand | SqlInjectionSqlite.cs:24:17:24:19 | access to local variable cmd : SQLiteCommand | provenance | |
| SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | provenance | MaD:27 Sink:MaD:10 |
| SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text : String | provenance | MaD:27 |
| SqlInjectionSqlite.cs:24:41:24:58 | access to property Text : String | SqlInjectionSqlite.cs:24:23:24:71 | object creation of type SQLiteCommand : SQLiteCommand | provenance | MaD:21 |
| SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | provenance | MaD:27 Sink:MaD:12 |
| SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | provenance | MaD:27 Sink:MaD:13 |
| SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text | provenance | MaD:30 Sink:MaD:13 |
| SqlInjectionSqlite.cs:24:41:24:53 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:24:41:24:58 | access to property Text : String | provenance | MaD:30 |
| SqlInjectionSqlite.cs:24:41:24:58 | access to property Text : String | SqlInjectionSqlite.cs:24:23:24:71 | object creation of type SQLiteCommand : SQLiteCommand | provenance | MaD:24 |
| SqlInjectionSqlite.cs:33:49:33:61 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:33:49:33:66 | access to property Text | provenance | MaD:30 Sink:MaD:15 |
| SqlInjectionSqlite.cs:39:45:39:57 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:39:45:39:62 | access to property Text | provenance | MaD:30 Sink:MaD:16 |
| SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | provenance | |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance | Src:MaD:19 |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance | Src:MaD:18 |
| SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | provenance | MaD:27 |
| SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | provenance | MaD:24 |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance | Src:MaD:22 |
| SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | SqlInjectionSqlite.cs:49:31:49:32 | access to local variable fs : FileStream | provenance | Src:MaD:21 |
| SqlInjectionSqlite.cs:49:51:49:63 | access to field untrustedData : TextBox | SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | provenance | MaD:30 |
| SqlInjectionSqlite.cs:49:51:49:68 | access to property Text : String | SqlInjectionSqlite.cs:49:36:49:84 | object creation of type FileStream : FileStream | provenance | MaD:27 |
| SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | provenance | |
| SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | SqlInjectionSqlite.cs:51:37:51:38 | access to local variable sr : StreamReader | provenance | |
| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | provenance | MaD:25 |
| SqlInjectionSqlite.cs:51:59:51:60 | access to local variable fs : FileStream | SqlInjectionSqlite.cs:51:42:51:76 | object creation of type StreamReader : StreamReader | provenance | MaD:28 |
| SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | provenance | |
| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | provenance | MaD:26 |
| SqlInjectionSqlite.cs:54:35:54:36 | access to local variable sr : StreamReader | SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | provenance | MaD:29 |
| SqlInjectionSqlite.cs:54:35:54:47 | call to method ReadLine : String | SqlInjectionSqlite.cs:54:29:54:31 | access to local variable sql : String | provenance | |
| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | provenance | Sink:MaD:10 |
| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance | MaD:28 |
| SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | SqlInjectionSqlite.cs:61:53:61:55 | access to local variable sql | provenance | Sink:MaD:13 |
| SqlInjectionSqlite.cs:56:31:56:33 | access to local variable sql : String | SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | provenance | MaD:31 |
| SqlInjectionSqlite.cs:56:31:56:40 | call to method Trim : String | SqlInjectionSqlite.cs:56:25:56:27 | access to local variable sql : String | provenance | |
models
| 1 | Sink: Dapper; SqlMapper; false; ExecuteAsync; (System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>); ; Argument[1]; sql-injection; manual |
@@ -107,28 +119,31 @@ models
| 4 | Sink: Dapper; SqlMapper; false; Query<T>; (System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Boolean,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>); ; Argument[1]; sql-injection; manual |
| 5 | Sink: Dapper; SqlMapper; false; QueryAsync<T>; (System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>); ; Argument[1]; sql-injection; manual |
| 6 | Sink: Dapper; SqlMapper; false; QueryFirstAsync; (System.Data.IDbConnection,System.String,System.Object,System.Data.IDbTransaction,System.Nullable<System.Int32>,System.Nullable<System.Data.CommandType>); ; Argument[1]; sql-injection; manual |
| 7 | Sink: System.Data.Entity; Database; false; ExecuteSqlCommand; (System.String,System.Object[]); ; Argument[0]; sql-injection; manual |
| 8 | Sink: System.Data.Entity; Database; false; SqlQuery<TElement>; (System.String,System.Object[]); ; Argument[0]; sql-injection; manual |
| 9 | Sink: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String); ; Argument[0]; sql-injection; manual |
| 10 | Sink: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; sql-injection; manual |
| 11 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.Data.SQLite.SQLiteCommand); ; Argument[0]; sql-injection; manual |
| 12 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; sql-injection; manual |
| 13 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.String,System.String); ; Argument[0]; sql-injection; manual |
| 14 | Sink: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; sql-injection; manual |
| 15 | Sink: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String,System.Data.SqlClient.SqlConnection); ; Argument[0]; sql-injection; manual |
| 16 | Sink: System.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (System.Data.SqlClient.SqlCommand); ; Argument[0]; sql-injection; manual |
| 17 | Sink: System.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (System.String,System.Data.SqlClient.SqlConnection); ; Argument[0]; sql-injection; manual |
| 18 | Source: System.IO; FileStream; false; FileStream; ; ; Argument[this]; file-write; manual |
| 19 | Source: System.IO; FileStream; false; FileStream; ; ; Argument[this]; file; manual |
| 20 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
| 21 | Summary: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; Argument[this]; taint; manual |
| 22 | Summary: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; Argument[this]; taint; manual |
| 23 | Summary: System.Data; IDataRecord; true; GetString; (System.Int32); ; Argument[this]; ReturnValue; taint; manual |
| 24 | Summary: System.IO; FileStream; false; FileStream; (System.String,System.IO.FileMode); ; Argument[0]; Argument[this]; taint; manual |
| 25 | Summary: System.IO; StreamReader; false; StreamReader; (System.IO.Stream,System.Text.Encoding); ; Argument[0]; Argument[this]; taint; manual |
| 26 | Summary: System.IO; TextReader; true; ReadLine; (); ; Argument[this]; ReturnValue; taint; manual |
| 27 | Summary: System.Web.UI.WebControls; TextBox; false; get_Text; (); ; Argument[this]; ReturnValue; taint; manual |
| 28 | Summary: System; String; false; Trim; (); ; Argument[this]; ReturnValue; taint; manual |
| 7 | Sink: NHibernate.Impl; AbstractSessionImpl; true; CreateSQLQuery; (System.String); ; Argument[0]; sql-injection; manual |
| 8 | Sink: NHibernate; ISession; true; CreateSQLQuery; (System.String); ; Argument[0]; sql-injection; manual |
| 9 | Sink: NHibernate; IStatelessSession; true; CreateSQLQuery; (System.String); ; Argument[0]; sql-injection; manual |
| 10 | Sink: System.Data.Entity; Database; false; ExecuteSqlCommand; (System.String,System.Object[]); ; Argument[0]; sql-injection; manual |
| 11 | Sink: System.Data.Entity; Database; false; SqlQuery<TElement>; (System.String,System.Object[]); ; Argument[0]; sql-injection; manual |
| 12 | Sink: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String); ; Argument[0]; sql-injection; manual |
| 13 | Sink: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; sql-injection; manual |
| 14 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.Data.SQLite.SQLiteCommand); ; Argument[0]; sql-injection; manual |
| 15 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; sql-injection; manual |
| 16 | Sink: System.Data.SQLite; SQLiteDataAdapter; false; SQLiteDataAdapter; (System.String,System.String); ; Argument[0]; sql-injection; manual |
| 17 | Sink: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; sql-injection; manual |
| 18 | Sink: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String,System.Data.SqlClient.SqlConnection); ; Argument[0]; sql-injection; manual |
| 19 | Sink: System.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (System.Data.SqlClient.SqlCommand); ; Argument[0]; sql-injection; manual |
| 20 | Sink: System.Data.SqlClient; SqlDataAdapter; false; SqlDataAdapter; (System.String,System.Data.SqlClient.SqlConnection); ; Argument[0]; sql-injection; manual |
| 21 | Source: System.IO; FileStream; false; FileStream; ; ; Argument[this]; file-write; manual |
| 22 | Source: System.IO; FileStream; false; FileStream; ; ; Argument[this]; file; manual |
| 23 | Source: System; Console; false; ReadLine; ; ; ReturnValue; stdin; manual |
| 24 | Summary: System.Data.SQLite; SQLiteCommand; false; SQLiteCommand; (System.String,System.Data.SQLite.SQLiteConnection); ; Argument[0]; Argument[this]; taint; manual |
| 25 | Summary: System.Data.SqlClient; SqlCommand; false; SqlCommand; (System.String); ; Argument[0]; Argument[this]; taint; manual |
| 26 | Summary: System.Data; IDataRecord; true; GetString; (System.Int32); ; Argument[this]; ReturnValue; taint; manual |
| 27 | Summary: System.IO; FileStream; false; FileStream; (System.String,System.IO.FileMode); ; Argument[0]; Argument[this]; taint; manual |
| 28 | Summary: System.IO; StreamReader; false; StreamReader; (System.IO.Stream,System.Text.Encoding); ; Argument[0]; Argument[this]; taint; manual |
| 29 | Summary: System.IO; TextReader; true; ReadLine; (); ; Argument[this]; ReturnValue; taint; manual |
| 30 | Summary: System.Web.UI.WebControls; TextBox; false; get_Text; (); ; Argument[this]; ReturnValue; taint; manual |
| 31 | Summary: System; String; false; Trim; (); ; Argument[this]; ReturnValue; taint; manual |
nodes
| SecondOrderSqlInjection.cs:20:31:20:44 | access to local variable customerReader : SqlDataReader | semmle.label | access to local variable customerReader : SqlDataReader |
| SecondOrderSqlInjection.cs:20:48:20:78 | call to method ExecuteReader : SqlDataReader | semmle.label | call to method ExecuteReader : SqlDataReader |
@@ -197,6 +212,12 @@ nodes
| SqlInjectionDapper.cs:75:21:75:25 | access to local variable query : String | semmle.label | access to local variable query : String |
| SqlInjectionDapper.cs:75:86:75:94 | access to property Text : String | semmle.label | access to property Text : String |
| SqlInjectionDapper.cs:77:52:77:56 | access to local variable query | semmle.label | access to local variable query |
| SqlInjectionNHibernate.cs:17:36:17:48 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
| SqlInjectionNHibernate.cs:17:36:17:53 | access to property Text | semmle.label | access to property Text |
| SqlInjectionNHibernate.cs:19:45:19:57 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
| SqlInjectionNHibernate.cs:19:45:19:62 | access to property Text | semmle.label | access to property Text |
| SqlInjectionNHibernate.cs:21:33:21:45 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
| SqlInjectionNHibernate.cs:21:33:21:50 | access to property Text | semmle.label | access to property Text |
| SqlInjectionSqlite.cs:19:51:19:63 | access to field untrustedData : TextBox | semmle.label | access to field untrustedData : TextBox |
| SqlInjectionSqlite.cs:19:51:19:68 | access to property Text | semmle.label | access to property Text |
| SqlInjectionSqlite.cs:24:17:24:19 | access to local variable cmd : SQLiteCommand | semmle.label | access to local variable cmd : SQLiteCommand |

24
csharp/ql/test/query-tests/Security Features/CWE-089/SqlInjectionNHibernate.cs Normal file
View File

@@ -0,0 +1,24 @@
using System;
namespace TestNHibernate
{
using System.Data;
using System.IO;
using System.Text;
using System.Web.UI.WebControls;
class SqlInjection
{
private string connectionString;
public TextBox untrustedData;
public void InjectUntrustedData(NHibernate.ISession session, NHibernate.IStatelessSession statelessSession, NHibernate.Impl.AbstractSessionImpl impl)
{
session.CreateSQLQuery(untrustedData.Text); // $ Alert[cs/sql-injection]
statelessSession.CreateSQLQuery(untrustedData.Text); // $ Alert[cs/sql-injection]
impl.CreateSQLQuery(untrustedData.Text); // $ Alert[cs/sql-injection]
}
}
}

1
csharp/ql/test/query-tests/Security Features/CWE-089/options
View File

@@ -4,3 +4,4 @@ semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resour
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SQLite/1.0.119/System.Data.SQLite.csproj
semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Windows.cs
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.AspNetCore.App/Microsoft.AspNetCore.App.csproj
semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/NHibernate/5.5.2/NHibernate.csproj