mirror of
https://github.com/github/codeql.git
synced 2026-04-19 22:14:01 +02:00
Make SqlInjection use new API
The extra nodes in .expected files are due to the changes from https://github.com/github/codeql/pull/13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.
This commit is contained in:
@@ -14,9 +14,11 @@ module SqlInjection {
|
||||
import SqlInjectionCustomizations::SqlInjection
|
||||
|
||||
/**
|
||||
* DEPRECATED: Use `Flow` instead.
|
||||
*
|
||||
* A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
|
||||
*/
|
||||
class Configuration extends TaintTracking::Configuration {
|
||||
deprecated class Configuration extends TaintTracking::Configuration {
|
||||
Configuration() { this = "SqlInjection" }
|
||||
|
||||
override predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
@@ -36,4 +38,18 @@ module SqlInjection {
|
||||
guard instanceof SanitizerGuard
|
||||
}
|
||||
}
|
||||
|
||||
private module Config implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
|
||||
NoSql::isAdditionalMongoTaintStep(pred, succ)
|
||||
}
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
|
||||
}
|
||||
|
||||
module Flow = TaintTracking::Global<Config>;
|
||||
}
|
||||
|
||||
@@ -13,9 +13,9 @@
|
||||
|
||||
import go
|
||||
import semmle.go.security.SqlInjection
|
||||
import DataFlow::PathGraph
|
||||
import SqlInjection::Flow::PathGraph
|
||||
|
||||
from SqlInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
|
||||
where cfg.hasFlowPath(source, sink)
|
||||
from SqlInjection::Flow::PathNode source, SqlInjection::Flow::PathNode sink
|
||||
where SqlInjection::Flow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
|
||||
"user-provided value"
|
||||
|
||||
@@ -7,7 +7,7 @@ module SqlInjectionTest implements TestSig {
|
||||
|
||||
predicate hasActualResult(Location location, string element, string tag, string value) {
|
||||
tag = "sqlinjection" and
|
||||
exists(DataFlow::Node sink | any(SqlInjection::Configuration c).hasFlow(_, sink) |
|
||||
exists(DataFlow::Node sink | SqlInjection::Flow::flowTo(sink) |
|
||||
element = sink.toString() and
|
||||
value = sink.toString() and
|
||||
sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),
|
||||
|
||||
@@ -69,20 +69,24 @@ edges
|
||||
| main.go:60:3:60:25 | selection of Category | main.go:59:7:60:26 | call to Sprintf |
|
||||
| main.go:60:4:60:15 | star expression [Category] | main.go:60:3:60:25 | selection of Category |
|
||||
| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:57:22:57:29 | pipeline |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:61:27:61:32 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:63:23:63:28 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:64:22:64:27 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:66:32:66:37 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:69:17:69:22 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:70:20:70:25 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:71:29:71:34 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:72:30:72:35 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:73:29:73:34 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:78:23:78:28 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:79:23:79:28 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:80:22:80:27 | filter |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter |
|
||||
| mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal |
|
||||
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline |
|
||||
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline |
|
||||
| mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal |
|
||||
nodes
|
||||
| SqlInjection.go:10:7:11:30 | call to Sprintf | semmle.label | call to Sprintf |
|
||||
| SqlInjection.go:11:3:11:9 | selection of URL | semmle.label | selection of URL |
|
||||
@@ -163,6 +167,10 @@ nodes
|
||||
| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
|
||||
| main.go:61:11:61:11 | q | semmle.label | q |
|
||||
| mongoDB.go:40:20:40:30 | call to Referer | semmle.label | call to Referer |
|
||||
| mongoDB.go:42:19:42:42 | struct literal | semmle.label | struct literal |
|
||||
| mongoDB.go:42:28:42:41 | untrustedInput | semmle.label | untrustedInput |
|
||||
| mongoDB.go:50:23:50:40 | struct literal | semmle.label | struct literal |
|
||||
| mongoDB.go:50:34:50:39 | filter | semmle.label | filter |
|
||||
| mongoDB.go:57:22:57:29 | pipeline | semmle.label | pipeline |
|
||||
| mongoDB.go:61:27:61:32 | filter | semmle.label | filter |
|
||||
| mongoDB.go:63:23:63:28 | filter | semmle.label | filter |
|
||||
|
||||
Reference in New Issue
Block a user