11/**
2- * @name SQLI Vulnerability
3- * @description Using untrusted strings in a sql query allows sql injection attacks.
4- * @kind path-problem
5- * @id cpp/sqlivulnerable
6- * @problem.severity warning
7- */
2+ * @name SQLI Vulnerability
3+ * @description Using untrusted strings in a sql query allows sql injection attacks.
4+ * @kind path-problem
5+ * @id cpp/sqlivulnerable
6+ * @problem.severity warning
7+ */
88
99import cpp
1010import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,7 +15,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
1515 // count = read(STDIN_FILENO, buf, BUFSIZE);
1616 exists ( FunctionCall read |
1717 read .getTarget ( ) .getName ( ) = "read" and
18- read .getArgument ( 1 ) = source .( DataFlow:: PostUpdateNode ) .getPreUpdateNode ( ) .asExpr ( )
18+ read .getArgument ( 1 ) = source .( DataFlow:: PostUpdateNode ) .getPreUpdateNode ( ) .asIndirectArgument ( )
1919 )
2020 }
2121
@@ -31,7 +31,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
3131 // #endif
3232 exists ( FunctionCall printf |
3333 printf .getTarget ( ) .getName ( ) .matches ( "%snprintf%" ) and
34- printf .getArgument ( 0 ) = out .( DataFlow:: PostUpdateNode ) .getPreUpdateNode ( ) .asExpr ( ) and
34+ printf .getArgument ( 0 ) = out .( DataFlow:: PostUpdateNode ) .getPreUpdateNode ( ) .asIndirectArgument ( ) and
3535 // very specific: shifted index for macro.
3636 printf .getArgument ( 6 ) = into .asExpr ( )
3737 )
@@ -41,7 +41,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
4141 // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
4242 exists ( FunctionCall exec |
4343 exec .getTarget ( ) .getName ( ) = "sqlite3_exec" and
44- exec .getArgument ( 1 ) = sink .asExpr ( )
44+ exec .getArgument ( 1 ) = sink .asIndirectArgument ( )
4545 )
4646 }
4747}
@@ -52,3 +52,4 @@ import MyFlow::PathGraph
5252from MyFlow:: PathNode source , MyFlow:: PathNode sink
5353where MyFlow:: flowPath ( source , sink )
5454select sink , source , sink , "Possible SQL injection"
55+
0 commit comments