Merge pull request #21162 from owen-mc/cpp/mad-barriers

C++: Allow MaD barriers
2026-02-12 05:01:06 +01:00 · 2026-01-23 18:14:01 +01:00
parent 949fc3745a 82e2afc93c
commit e36080061d
4 changed files with 21 additions and 14 deletions
--- a/cpp/ql/lib/change-notes/2026-01-23-mysql.md
+++ b/cpp/ql/lib/change-notes/2026-01-23-mysql.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.
--- a/cpp/ql/lib/ext/MySql.model.yml
+++ b/cpp/ql/lib/ext/MySql.model.yml
@@ -0,0 +1,14 @@
+# partial model of the MySQL api
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*1]", "sql-injection", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*1]", "sql-injection", "manual"]
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
@@ -16,17 +16,3 @@ private class MySqlExecutionFunction extends SqlExecutionFunction {

  override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -51,6 +51,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
      input.isParameterDeref(arg) and
      sql.barrierSqlArgument(input, _)
    )
+    or
+    // barrier defined using models-as-data
+    barrierNode(node, "sql-injection")
  }

  predicate observeDiffInformedIncrementalMode() { any() }