hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add a test (cleaned up) that was previously in the internal repo.

Browse Source
This commit is contained in:
Geoffrey White
2021-01-04 15:18:08 +00:00
parent 7f25efd43f
commit 7a3f9c7895
3 changed files with 41 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected Normal file
View File

@@ -0,0 +1,13 @@
edges
| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | (const char *)... |
| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
| test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 |
nodes
| test.c:14:20:14:23 | argv | semmle.label | argv |
| test.c:14:20:14:23 | argv | semmle.label | argv |
| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:19:18:19:23 | (const char *)... | semmle.label | (const char *)... |
| test.c:19:18:19:23 | query1 | semmle.label | query1 |
#select
| test.c:19:18:19:23 | query1 | test.c:14:20:14:23 | argv | test.c:19:18:19:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:14:20:14:23 | argv | user input (argv) |

1
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.qlref Normal file
View File

@@ -0,0 +1 @@
Security/CWE/CWE-089/SqlTainted.ql

27
cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c Normal file
View File

@@ -0,0 +1,27 @@
// Semmle test case for rule SprintfToSqlQuery.ql (Uncontrolled sprintf for SQL query)
// Associated with CWE-089: SQL injection. http://cwe.mitre.org/data/definitions/89.html
///// Library routines /////
typedef unsigned long size_t;
int snprintf(char *s, size_t n, const char *format, ...);
void sanitizeString(char *stringOut, size_t len, const char *strIn);
int mysql_query(int arg1, const char *sqlArg);
///// Test code /////
int main(int argc, char** argv) {
char *userName = argv[2];
// a string from the user is injected directly into an SQL query.
char query1[1000] = {0};
snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
mysql_query(0, query1); // BAD
// the user string is encoded by a library routine.
char userNameSanitized[1000] = {0};
sanitizeString(userNameSanitized, 1000, userName);
char query2[1000] = {0};
snprintf(query2, 1000, "SELECT UID FROM USERS where name = \"%s\"", userNameSanitized);
mysql_query(0, query2); // GOOD
}