hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

JavaScript: Model chaining calls in sqlite3.

Browse Source
This commit is contained in:
Max Schaefer
2021-05-10 10:30:26 +01:00
parent a7030c7fed
commit 8f91e9eba0
4 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
javascript/change-notes/2021-05-10-sqlite3-chaining.md Normal file
View File

@@ -0,0 +1,3 @@
lgtm,codescanning
* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
additional results from the `js/sql-injection` query.

14
javascript/ql/src/semmle/javascript/frameworks/SQL.qll
View File

@@ -341,18 +341,28 @@ private module Sqlite {
result = sqlite().getMember("verbose").getReturn() result = sqlite().getMember("verbose").getReturn()
} }
/** Gets an expression that constructs a Sqlite database instance. */ /** Gets an expression that constructs or returns a Sqlite database instance. */
API::Node database() { API::Node database() {
// new require('sqlite3').Database() // new require('sqlite3').Database()
result = sqlite().getMember("Database").getInstance() result = sqlite().getMember("Database").getInstance()
or or
// chained call
result = getAChainingQueryCall()
or
result = API::Node::ofType("sqlite3", "Database") result = API::Node::ofType("sqlite3", "Database")
} }
/** A call to a query method on a Sqlite database instance that returns the same instance. */
private API::Node getAChainingQueryCall() {
result = database().getMember(["all", "each", "exec", "get", "run"]).getReturn()
}
/** A call to a Sqlite query method. */ /** A call to a Sqlite query method. */
private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode { private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
QueryCall() { QueryCall() {
this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall() this = getAChainingQueryCall().getAnImmediateUse()
or
this = database().getMember("prepare").getACall()
} }
override DataFlow::Node getAQueryArgument() { result = getArgument(0) } override DataFlow::Node getAQueryArgument() { result = getArgument(0) }

1
javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
View File

@@ -66,5 +66,6 @@
| spannerImport.js:4:8:4:17 | "SQL code" | | spannerImport.js:4:8:4:17 | "SQL code" |
| sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" | | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
| sqlite.js:7:8:7:45 | "UPDATE ... id = ?" | | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
| sqlite.js:8:8:8:45 | "UPDATE ... id = ?" |
| sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" | | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
| sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" | | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |

3
javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
View File

@@ -4,6 +4,7 @@
var sqlite = require('sqlite3'); var sqlite = require('sqlite3');
var db = new sqlite.Database(":memory:"); var db = new sqlite.Database(":memory:");
db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2); db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2)
.run("UPDATE tbl SET name = ? WHERE id = ?", "foo", 3);
exports.db = db; exports.db = db;