Pg Library, change note and Frameworks.qll

2026-05-01 03:35:13 +02:00 · 2023-05-23 19:49:03 +02:00
parent e33f3a6668
commit ad5355a04a
4 changed files with 152 additions and 0 deletions
--- a/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb
+++ b/ruby/ql/test/query-tests/security/cwe-089/PgInjection.rb
@@ -0,0 +1,70 @@
+class FooController < ActionController::Base
+
+  def some_request_handler
+    # A string tainted by user input is inserted into a query
+    # (i.e a remote flow source)
+    name = params[:name]
+
+    # Establish a connection to a PostgreSQL database
+    conn = PG::Connection.open(:dbname => 'postgresql', :user => 'user', :password => 'pass', :host => 'localhost', :port => '5432')
+
+    # .exec() and .async_exec()
+    # BAD: SQL statement constructed from user input
+    qry1 = "SELECT * FROM users WHERE username = '#{name}';"
+    conn.exec(qry1)
+    conn.async_exec(qry1)
+
+    # .exec_params() and .async_exec_params()
+    # BAD: SQL statement constructed from user input
+    qry2 = "SELECT * FROM users WHERE username = '#{name}';"
+    conn.exec_params(qry2)
+    conn.async_exec_params(qry2)
+
+    # .exec_params() and .async_exec_params()
+    # GOOD: SQL statement constructed from sanitized user input
+    qry2 = "SELECT * FROM users WHERE username = $1;"
+    conn.exec_params(qry2, [name])
+    conn.async_exec_params(qry2, [name])
+
+    # .prepare() and .exec_prepared()
+    # BAD: SQL statement constructed from user input
+    qry3 = "SELECT * FROM users WHERE username = '#{name}';"
+    conn.prepare("query_1", qry3)
+    conn.exec_prepared('query_1')
+
+    # .prepare() and .exec_prepared()
+    # GOOD: SQL statement constructed from sanitized user input
+    qry3 = "SELECT * FROM users WHERE username = $1;"
+    conn.prepare("query_2", qry3)
+    conn.exec_prepared('query_2', [name])
+
+    # .prepare() and .exec_prepared()
+    # NOT EXECUTED: SQL statement constructed from user input but not executed
+    qry3 = "SELECT * FROM users WHERE username = '#{name}';"
+    conn.prepare("query_3", qry3)
+  end
+end
+
+class BarController < ApplicationController
+  def safe_paths
+    name1 = params["name1"]
+    # GOOD: barrier guard prevents taint flow
+    if name == "admin"
+      qry_bar1 = "SELECT * FROM users WHERE username = '%s';" % name
+    else
+      qry_bar1 = "SELECT * FROM users WHERE username = 'none';"
+    end
+    conn.exec_params(qry_bar1)
+
+
+    name2 = params["name2"]
+    # GOOD: barrier guard prevents taint flow
+    name2 = if ["admin", "guest"].include? name2
+      name2
+    else 
+      name2 = "none"
+    end
+    qry_bar2 = "SELECT * FROM users WHERE username = '%s';" % name
+    conn.exec_params(qry_bar2)
+  end
+end