mirror of
https://github.com/github/codeql.git
synced 2025-12-17 09:13:20 +01:00
31 lines
1.0 KiB
Plaintext
31 lines
1.0 KiB
Plaintext
/**
|
|
* @name Database query built from user-controlled sources
|
|
* @description Finds places where a value from a remote or local user input
|
|
* is used as an argument to the SQLite ``Connection.execute(_:)``
|
|
* function.
|
|
* @id swift/examples/simple-sql-injection
|
|
* @tags example
|
|
*/
|
|
|
|
import swift
|
|
import codeql.swift.dataflow.DataFlow
|
|
import codeql.swift.dataflow.TaintTracking
|
|
import codeql.swift.dataflow.FlowSources
|
|
|
|
module SqlInjectionConfig implements DataFlow::ConfigSig {
|
|
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
|
|
|
|
predicate isSink(DataFlow::Node node) {
|
|
exists(CallExpr call |
|
|
call.getStaticTarget().(Method).hasQualifiedName("Connection", "execute(_:)") and
|
|
call.getArgument(0).getExpr() = node.asExpr()
|
|
)
|
|
}
|
|
}
|
|
|
|
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
|
|
|
|
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
|
|
where SqlInjectionFlow::flow(sourceNode, sinkNode)
|
|
select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"
|