hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-19 22:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make SqlInjection use new API

Browse Source 
The extra nodes in .expected files are due to the changes from
https://github.com/github/codeql/pull/13717, which are not applied to
configuration classes extending DataFlow::Configuration or
TaintTracking::Configuration.
This commit is contained in:
Owen Mansel-Chan
2023-07-11 15:26:29 +01:00
parent 646e158813
commit ac1670c0af
4 changed files with 43 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
go/ql/lib/semmle/go/security/SqlInjection.qll
View File

@@ -14,9 +14,11 @@ module SqlInjection {
import SqlInjectionCustomizations::SqlInjection
/**
* DEPRECATED: Use `Flow` instead.
*
* A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
*/
class Configuration extends TaintTracking::Configuration {
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "SqlInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -36,4 +38,18 @@ module SqlInjection {
guard instanceof SanitizerGuard
}
}
private module Config implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof Source }
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
NoSql::isAdditionalMongoTaintStep(pred, succ)
}
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
}
module Flow = TaintTracking::Global<Config>;
}

6
go/ql/src/Security/CWE-089/SqlInjection.ql
View File

@@ -13,9 +13,9 @@
import go
import semmle.go.security.SqlInjection
import DataFlow::PathGraph
import SqlInjection::Flow::PathGraph
from SqlInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
from SqlInjection::Flow::PathNode source, SqlInjection::Flow::PathNode sink
where SqlInjection::Flow::flowPath(source, sink)
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
"user-provided value"

2
go/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.ql
View File

@@ -7,7 +7,7 @@ module SqlInjectionTest implements TestSig {
predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "sqlinjection" and
exists(DataFlow::Node sink | any(SqlInjection::Configuration c).hasFlow(_, sink) |
exists(DataFlow::Node sink | SqlInjection::Flow::flowTo(sink) |
element = sink.toString() and
value = sink.toString() and
sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),

36
go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected
View File

@@ -69,20 +69,24 @@ edges
| main.go:60:3:60:25 | selection of Category | main.go:59:7:60:26 | call to Sprintf |
| main.go:60:4:60:15 | star expression [Category] | main.go:60:3:60:25 | selection of Category |
| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:57:22:57:29 | pipeline |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:61:27:61:32 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:63:23:63:28 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:64:22:64:27 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:66:32:66:37 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:69:17:69:22 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:70:20:70:25 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:71:29:71:34 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:72:30:72:35 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:73:29:73:34 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:78:23:78:28 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:79:23:79:28 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:80:22:80:27 | filter |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline |
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter |
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter |
| mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline |
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline |
| mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal |
nodes
| SqlInjection.go:10:7:11:30 | call to Sprintf | semmle.label | call to Sprintf |
| SqlInjection.go:11:3:11:9 | selection of URL | semmle.label | selection of URL |
@@ -163,6 +167,10 @@ nodes
| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
| main.go:61:11:61:11 | q | semmle.label | q |
| mongoDB.go:40:20:40:30 | call to Referer | semmle.label | call to Referer |
| mongoDB.go:42:19:42:42 | struct literal | semmle.label | struct literal |
| mongoDB.go:42:28:42:41 | untrustedInput | semmle.label | untrustedInput |
| mongoDB.go:50:23:50:40 | struct literal | semmle.label | struct literal |
| mongoDB.go:50:34:50:39 | filter | semmle.label | filter |
| mongoDB.go:57:22:57:29 | pipeline | semmle.label | pipeline |
| mongoDB.go:61:27:61:32 | filter | semmle.label | filter |
| mongoDB.go:63:23:63:28 | filter | semmle.label | filter |