Skip to content

Commit 31aaec7

Browse files
GeekMasherGeekMasher
committed
feat(python): Update SQL Injection query to new API
1 parent e97e88c commit 31aaec7

File tree

2 files changed

+28
-20
lines changed

2 files changed

+28
-20
lines changed

python/src/audit/CWE-089/SqlInjectionAudit.ql

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -17,25 +17,25 @@ import semmle.python.dataflow.new.TaintTracking
1717
import semmle.python.Concepts
1818
import semmle.python.dataflow.new.BarrierGuards
1919
import semmle.python.ApiGraphs
20-
import DataFlow::PathGraph
2120
private import semmle.python.security.dataflow.SqlInjectionCustomizations
22-
//
2321
import ghsl.Utils
2422

2523
/**
2624
* A taint-tracking configuration for detecting SQL injection vulnerabilities.
2725
*/
28-
class SqlInjectionHeuristic extends TaintTracking::Configuration {
29-
SqlInjectionHeuristic() { this = "SqlInjectionHeuristic" }
26+
module SqlInjectionHeuristicConfig implements DataFlow::ConfigSig {
27+
predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
3028

31-
override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
29+
predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
3230

33-
override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
34-
35-
override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
31+
predicate isBarrier(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
3632
}
3733

38-
from SqlInjectionHeuristic config, DataFlow::PathNode source, DataFlow::PathNode sink
39-
where config.hasFlowPath(source, sink)
40-
select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
41-
"a user-provided value"
34+
module SqlInjectionHeuristicFlow = TaintTracking::Global<SqlInjectionHeuristicConfig>;
35+
36+
import SqlInjectionHeuristicFlow::PathGraph //importing the path graph from the module
37+
38+
from SqlInjectionHeuristicFlow::PathNode source, SqlInjectionHeuristicFlow::PathNode sink
39+
where SqlInjectionHeuristicFlow::flowPath(source, sink)
40+
select sink.getNode(), source, sink, "This SQL query depends on a $@.", source.getNode(),
41+
"user-provided value"

python/test/audit/CWE-089/SqlInjectionAudit.expected

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,28 @@
11
edges
2-
| sqli.py:17:9:17:60 | ControlFlowNode for Fstring | sqli.py:18:16:18:20 | ControlFlowNode for query |
3-
| sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | sqli.py:22:16:22:20 | ControlFlowNode for query |
4-
| sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | sqli.py:26:16:26:20 | ControlFlowNode for query |
5-
| sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | sqli.py:31:16:31:20 | ControlFlowNode for query |
2+
| sqli.py:17:1:17:5 | ControlFlowNode for query | sqli.py:18:16:18:20 | ControlFlowNode for query |
3+
| sqli.py:17:9:17:60 | ControlFlowNode for Fstring | sqli.py:17:1:17:5 | ControlFlowNode for query |
4+
| sqli.py:21:1:21:5 | ControlFlowNode for query | sqli.py:22:16:22:20 | ControlFlowNode for query |
5+
| sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | sqli.py:21:1:21:5 | ControlFlowNode for query |
6+
| sqli.py:25:1:25:5 | ControlFlowNode for query | sqli.py:26:16:26:20 | ControlFlowNode for query |
7+
| sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | sqli.py:25:1:25:5 | ControlFlowNode for query |
8+
| sqli.py:30:1:30:5 | ControlFlowNode for query | sqli.py:31:16:31:20 | ControlFlowNode for query |
9+
| sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | sqli.py:30:1:30:5 | ControlFlowNode for query |
610
nodes
11+
| sqli.py:17:1:17:5 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
712
| sqli.py:17:9:17:60 | ControlFlowNode for Fstring | semmle.label | ControlFlowNode for Fstring |
813
| sqli.py:18:16:18:20 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
14+
| sqli.py:21:1:21:5 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
915
| sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
1016
| sqli.py:22:16:22:20 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
17+
| sqli.py:25:1:25:5 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
1118
| sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
1219
| sqli.py:26:16:26:20 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
20+
| sqli.py:30:1:30:5 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
1321
| sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | semmle.label | ControlFlowNode for BinaryExpr |
1422
| sqli.py:31:16:31:20 | ControlFlowNode for query | semmle.label | ControlFlowNode for query |
1523
subpaths
1624
#select
17-
| sqli.py:18:16:18:20 | ControlFlowNode for query | sqli.py:17:9:17:60 | ControlFlowNode for Fstring | sqli.py:18:16:18:20 | ControlFlowNode for query | This SQL query depends on $@. | sqli.py:17:9:17:60 | ControlFlowNode for Fstring | a user-provided value |
18-
| sqli.py:22:16:22:20 | ControlFlowNode for query | sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | sqli.py:22:16:22:20 | ControlFlowNode for query | This SQL query depends on $@. | sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | a user-provided value |
19-
| sqli.py:26:16:26:20 | ControlFlowNode for query | sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | sqli.py:26:16:26:20 | ControlFlowNode for query | This SQL query depends on $@. | sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | a user-provided value |
20-
| sqli.py:31:16:31:20 | ControlFlowNode for query | sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | sqli.py:31:16:31:20 | ControlFlowNode for query | This SQL query depends on $@. | sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | a user-provided value |
25+
| sqli.py:18:16:18:20 | ControlFlowNode for query | sqli.py:17:9:17:60 | ControlFlowNode for Fstring | sqli.py:18:16:18:20 | ControlFlowNode for query | This SQL query depends on a $@. | sqli.py:17:9:17:60 | ControlFlowNode for Fstring | user-provided value |
26+
| sqli.py:22:16:22:20 | ControlFlowNode for query | sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | sqli.py:22:16:22:20 | ControlFlowNode for query | This SQL query depends on a $@. | sqli.py:21:9:21:68 | ControlFlowNode for Attribute() | user-provided value |
27+
| sqli.py:26:16:26:20 | ControlFlowNode for query | sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | sqli.py:26:16:26:20 | ControlFlowNode for query | This SQL query depends on a $@. | sqli.py:25:9:25:60 | ControlFlowNode for BinaryExpr | user-provided value |
28+
| sqli.py:31:16:31:20 | ControlFlowNode for query | sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | sqli.py:31:16:31:20 | ControlFlowNode for query | This SQL query depends on a $@. | sqli.py:30:9:30:58 | ControlFlowNode for BinaryExpr | user-provided value |

0 commit comments

Comments
 (0)