C++: Use isAdditionalBarrier in the SqlTainted query.

geoffw0 · geoffw0 · commit 18890c4a7700 · 2021-01-05T11:33:39.000Z
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -27,6 +27,8 @@ class Configuration extends TaintTrackingConfiguration {
   override predicate isSink(Element tainted) {
     exists(SQLLikeFunction runSql | runSql.outermostWrapperFunctionCall(tainted, _))
   }
+
+  override predicate isAdditionalBarrier(Expr e) { e.getUnspecifiedType() instanceof IntegralType }
 }
 
 from
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -3,21 +3,11 @@ edges
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | (const char *)... |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
-| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
-| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | (const char *)... |
-| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
-| test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 |
 nodes
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:15:20:15:23 | argv | semmle.label | argv |
-| test.c:16:25:16:28 | argv | semmle.label | argv |
-| test.c:16:25:16:28 | argv | semmle.label | argv |
 | test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
 | test.c:21:18:21:23 | (const char *)... | semmle.label | (const char *)... |
 | test.c:21:18:21:23 | query1 | semmle.label | query1 |
-| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
-| test.c:33:18:33:23 | (const char *)... | semmle.label | (const char *)... |
-| test.c:33:18:33:23 | query3 | semmle.label | query3 |
 #select
 | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
-| test.c:33:18:33:23 | query3 | test.c:16:25:16:28 | argv | test.c:33:18:33:23 | query3 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:16:25:16:28 | argv | user input (argv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -30,5 +30,5 @@ int main(int argc, char** argv) {
   // an integer from the user is injected into an SQL query.
   char query3[1000] = {0};
   snprintf(query3, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
-  mysql_query(0, query3); // BAD [FALSE POSITIVE]
+  mysql_query(0, query3); // BAD
 }

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ class Configuration extends TaintTrackingConfiguration {`
`27`	`27`	`override predicate isSink(Element tainted) {`
`28`	`28`	`exists(SQLLikeFunction runSql \| runSql.outermostWrapperFunctionCall(tainted, _))`
`29`	`29`	`}`
	`30`	`+`
	`31`	`+ override predicate isAdditionalBarrier(Expr e) { e.getUnspecifiedType() instanceof IntegralType }`
`30`	`32`	`}`
`31`	`33`
`32`	`34`	`from`
Original file line number	Diff line number	Diff line change
`@@ -30,5 +30,5 @@ int main(int argc, char** argv) {`
`30`	`30`	`// an integer from the user is injected into an SQL query.`
`31`	`31`	`char query3[1000] = {0};`
`32`	`32`	`snprintf(query3, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);`
`33`		`- mysql_query(0, query3); // BAD [FALSE POSITIVE]`
	`33`	`+ mysql_query(0, query3); // BAD`
`34`	`34`	`}`