Skip to content

Commit ac1670c

Browse files
owen-mcowen-mc
committed
Make SqlInjection use new API
The extra nodes in .expected files are due to the changes from #13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.
1 parent 646e158 commit ac1670c

4 files changed

Lines changed: 43 additions & 19 deletions

File tree

go/ql/lib/semmle/go/security/SqlInjection.qll

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,11 @@ module SqlInjection {
1414
import SqlInjectionCustomizations::SqlInjection
1515

1616
/**
17+
* DEPRECATED: Use `Flow` instead.
18+
*
1719
* A taint-tracking configuration for reasoning about SQL-injection vulnerabilities.
1820
*/
19-
class Configuration extends TaintTracking::Configuration {
21+
deprecated class Configuration extends TaintTracking::Configuration {
2022
Configuration() { this = "SqlInjection" }
2123

2224
override predicate isSource(DataFlow::Node source) { source instanceof Source }
@@ -36,4 +38,18 @@ module SqlInjection {
3638
guard instanceof SanitizerGuard
3739
}
3840
}
41+
42+
private module Config implements DataFlow::ConfigSig {
43+
predicate isSource(DataFlow::Node source) { source instanceof Source }
44+
45+
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
46+
47+
predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
48+
NoSql::isAdditionalMongoTaintStep(pred, succ)
49+
}
50+
51+
predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
52+
}
53+
54+
module Flow = TaintTracking::Global<Config>;
3955
}

go/ql/src/Security/CWE-089/SqlInjection.ql

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,9 @@
1313

1414
import go
1515
import semmle.go.security.SqlInjection
16-
import DataFlow::PathGraph
16+
import SqlInjection::Flow::PathGraph
1717

18-
from SqlInjection::Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
19-
where cfg.hasFlowPath(source, sink)
18+
from SqlInjection::Flow::PathNode source, SqlInjection::Flow::PathNode sink
19+
where SqlInjection::Flow::flowPath(source, sink)
2020
select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
2121
"user-provided value"

go/ql/test/library-tests/semmle/go/frameworks/CouchbaseV1/test.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ module SqlInjectionTest implements TestSig {
77

88
predicate hasActualResult(Location location, string element, string tag, string value) {
99
tag = "sqlinjection" and
10-
exists(DataFlow::Node sink | any(SqlInjection::Configuration c).hasFlow(_, sink) |
10+
exists(DataFlow::Node sink | SqlInjection::Flow::flowTo(sink) |
1111
element = sink.toString() and
1212
value = sink.toString() and
1313
sink.hasLocationInfo(location.getFile().getAbsolutePath(), location.getStartLine(),

go/ql/test/query-tests/Security/CWE-089/SqlInjection.expected

Lines changed: 22 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -69,20 +69,24 @@ edges
6969
| main.go:60:3:60:25 | selection of Category | main.go:59:7:60:26 | call to Sprintf |
7070
| main.go:60:4:60:15 | star expression [Category] | main.go:60:3:60:25 | selection of Category |
7171
| main.go:60:5:60:15 | RequestData [pointer, Category] | main.go:60:4:60:15 | star expression [Category] |
72-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:57:22:57:29 | pipeline |
73-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:61:27:61:32 | filter |
74-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:63:23:63:28 | filter |
75-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:64:22:64:27 | filter |
76-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:66:32:66:37 | filter |
77-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:69:17:69:22 | filter |
78-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:70:20:70:25 | filter |
79-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:71:29:71:34 | filter |
80-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:72:30:72:35 | filter |
81-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:73:29:73:34 | filter |
82-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:78:23:78:28 | filter |
83-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:79:23:79:28 | filter |
84-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:80:22:80:27 | filter |
85-
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:81:18:81:25 | pipeline |
72+
| mongoDB.go:40:20:40:30 | call to Referer | mongoDB.go:42:28:42:41 | untrustedInput |
73+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:50:34:50:39 | filter |
74+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:61:27:61:32 | filter |
75+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:63:23:63:28 | filter |
76+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:64:22:64:27 | filter |
77+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:66:32:66:37 | filter |
78+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:69:17:69:22 | filter |
79+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:70:20:70:25 | filter |
80+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:71:29:71:34 | filter |
81+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:72:30:72:35 | filter |
82+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:73:29:73:34 | filter |
83+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:78:23:78:28 | filter |
84+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:79:23:79:28 | filter |
85+
| mongoDB.go:42:19:42:42 | struct literal | mongoDB.go:80:22:80:27 | filter |
86+
| mongoDB.go:42:28:42:41 | untrustedInput | mongoDB.go:42:19:42:42 | struct literal |
87+
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:57:22:57:29 | pipeline |
88+
| mongoDB.go:50:23:50:40 | struct literal | mongoDB.go:81:18:81:25 | pipeline |
89+
| mongoDB.go:50:34:50:39 | filter | mongoDB.go:50:23:50:40 | struct literal |
8690
nodes
8791
| SqlInjection.go:10:7:11:30 | call to Sprintf | semmle.label | call to Sprintf |
8892
| SqlInjection.go:11:3:11:9 | selection of URL | semmle.label | selection of URL |
@@ -163,6 +167,10 @@ nodes
163167
| main.go:60:5:60:15 | RequestData [pointer, Category] | semmle.label | RequestData [pointer, Category] |
164168
| main.go:61:11:61:11 | q | semmle.label | q |
165169
| mongoDB.go:40:20:40:30 | call to Referer | semmle.label | call to Referer |
170+
| mongoDB.go:42:19:42:42 | struct literal | semmle.label | struct literal |
171+
| mongoDB.go:42:28:42:41 | untrustedInput | semmle.label | untrustedInput |
172+
| mongoDB.go:50:23:50:40 | struct literal | semmle.label | struct literal |
173+
| mongoDB.go:50:34:50:39 | filter | semmle.label | filter |
166174
| mongoDB.go:57:22:57:29 | pipeline | semmle.label | pipeline |
167175
| mongoDB.go:61:27:61:32 | filter | semmle.label | filter |
168176
| mongoDB.go:63:23:63:28 | filter | semmle.label | filter |

0 commit comments

Comments
 (0)