-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSqlInjectionLib.qll
More file actions
29 lines (23 loc) · 1.05 KB
/
SqlInjectionLib.qll
File metadata and controls
29 lines (23 loc) · 1.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/** Definitions used by the queries for database query injection. */
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
private class QueryInjectionFlowConfig extends TaintTracking::Configuration {
QueryInjectionFlowConfig() { this = "SqlInjectionLib::QueryInjectionFlowConfig" }
override predicate isSource(DataFlow::Node src) { src instanceof RemoteFlowSource }
override predicate isSink(DataFlow::Node sink) { sink instanceof QueryInjectionSink }
override predicate isSanitizer(DataFlow::Node node) {
node.getType() instanceof PrimitiveType or
node.getType() instanceof BoxedType or
node.getType() instanceof NumberType
}
}
/**
* Implementation of `SqlTainted.ql`. This is extracted to a QLL so that it
* can be excluded from `SqlUnescaped.ql` to avoid overlapping results.
*/
predicate queryTaintedBy(
QueryInjectionSink query, DataFlow::PathNode source, DataFlow::PathNode sink
) {
exists(QueryInjectionFlowConfig conf | conf.hasFlowPath(source, sink) and sink.getNode() = query)
}