hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Go : Improvements to DSN Injection query

Browse Source
This commit is contained in:
Porcupiney Hairs
2023-07-02 17:38:01 +05:30
parent 95ddc01ccb
commit dc0deb5e49
13 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
go/ql/src/experimental/CWE-134/DsnBad.go → go/ql/src/experimental/CWE-74/DsnBad.go
View File

0
go/ql/src/experimental/CWE-134/DsnGood.go → go/ql/src/experimental/CWE-74/DsnGood.go
View File

0
go/ql/src/experimental/CWE-134/DsnInjection.qhelp → go/ql/src/experimental/CWE-74/DsnInjection.qhelp
View File

6
go/ql/src/experimental/CWE-134/DsnInjection.ql → go/ql/src/experimental/CWE-74/DsnInjection.ql
View File

@@ -6,7 +6,7 @@
* @id go/dsn-injection
* @tags security
* experimental
* external/cwe/cwe-134
* external/cwe/cwe-74
*/
import go
@@ -18,5 +18,5 @@ private class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSourc
from DsnInjection cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
"user-provided value"
select sink.getNode(), source, sink, "Data-Source Name is built using $@.", source.getNode(),
"untrusted user input"

7
go/ql/src/experimental/CWE-134/DsnInjectionCustomizations.qll → go/ql/src/experimental/CWE-74/DsnInjectionCustomizations.qll
View File

@@ -14,8 +14,11 @@ class DsnInjection extends TaintTracking::Configuration {
override predicate isSource(DataFlow::Node node) { node instanceof Source }
override predicate isSink(DataFlow::Node node) {
exists(Function f | f.hasQualifiedName("database/sql", "Open") |
node = f.getACall().getArgument(1)
exists(DataFlow::CallNode c |
c.getTarget().hasQualifiedName("database/sql", "Open") and
c.getArgument(0).getStringValue() = "mysql"
|
node = c.getArgument(1)
)
}

2
go/ql/src/experimental/CWE-134/DsnInjectionLocal.ql → go/ql/src/experimental/CWE-74/DsnInjectionLocal.ql
View File

@@ -6,7 +6,7 @@
* @id go/dsn-injection-local
* @tags security
* experimental
* external/cwe/cwe-134
* external/cwe/cwe-74
*/
import go

1
go/ql/test/experimental/CWE-134/DsnInjection.qlref
View File

@@ -1 +0,0 @@
experimental/CWE-134/DsnInjection.ql

1
go/ql/test/experimental/CWE-134/DsnInjectionLocal.qlref
View File

@@ -1 +0,0 @@
experimental/CWE-134/DsnInjectionLocal.ql

0
go/ql/test/experimental/CWE-134/Dsn.go → go/ql/test/experimental/CWE-74/Dsn.go
View File

2
go/ql/test/experimental/CWE-134/DsnInjection.expected → go/ql/test/experimental/CWE-74/DsnInjection.expected
View File

@@ -9,4 +9,4 @@ nodes
| Dsn.go:50:29:50:33 | dbDSN | semmle.label | dbDSN |
subpaths
#select
| Dsn.go:50:29:50:33 | dbDSN | Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:50:29:50:33 | dbDSN | This query depends on a $@. | Dsn.go:47:10:47:30 | call to FormValue | user-provided value |
| Dsn.go:50:29:50:33 | dbDSN | Dsn.go:47:10:47:30 | call to FormValue | Dsn.go:50:29:50:33 | dbDSN | Data-Source Name is built using $@. | Dsn.go:47:10:47:30 | call to FormValue | untrusted user input |

1
go/ql/test/experimental/CWE-74/DsnInjection.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/CWE-74/DsnInjection.ql

0
go/ql/test/experimental/CWE-134/DsnInjectionLocal.expected → go/ql/test/experimental/CWE-74/DsnInjectionLocal.expected
View File

1
go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref Normal file
View File

@@ -0,0 +1 @@
experimental/CWE-74/DsnInjectionLocal.ql