JavaScript: Model chaining calls in sqlite3.

2025-12-20 18:56:32 +01:00 · 2021-05-10 10:30:26 +01:00
parent a7030c7fed
commit 8f91e9eba0
4 changed files with 18 additions and 3 deletions
--- a/javascript/change-notes/2021-05-10-sqlite3-chaining.md
+++ b/javascript/change-notes/2021-05-10-sqlite3-chaining.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
+  additional results from the `js/sql-injection` query.
--- a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -341,18 +341,28 @@ private module Sqlite {
    result = sqlite().getMember("verbose").getReturn()
  }

-  /** Gets an expression that constructs a Sqlite database instance. */
+  /** Gets an expression that constructs or returns a Sqlite database instance. */
  API::Node database() {
    // new require('sqlite3').Database()
    result = sqlite().getMember("Database").getInstance()
    or
+    // chained call
+    result = getAChainingQueryCall()
+    or
    result = API::Node::ofType("sqlite3", "Database")
  }

+  /** A call to a query method on a Sqlite database instance that returns the same instance. */
+  private API::Node getAChainingQueryCall() {
+    result = database().getMember(["all", "each", "exec", "get", "run"]).getReturn()
+  }
+
  /** A call to a Sqlite query method. */
  private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
    QueryCall() {
-      this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
+      this = getAChainingQueryCall().getAnImmediateUse()
+      or
+      this = database().getMember("prepare").getACall()
    }

    override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
--- a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
+++ b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -66,5 +66,6 @@
 | spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
+| sqlite.js:8:8:8:45 | "UPDATE ... id = ?" |
 | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
--- a/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
+++ b/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
@@ -4,6 +4,7 @@
 var sqlite = require('sqlite3');

 var db = new sqlite.Database(":memory:");
-db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
+db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2)
+  .run("UPDATE tbl SET name = ? WHERE id = ?", "foo", 3);

 exports.db = db;