Improve Sqlite3 test

owen-mc · owen-mc · commit 1fa183ee2a73 · 2026-02-17T22:27:04.000Z
diff --git a/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected b/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.expected
@@ -0,0 +1,12 @@
+#select
+| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
+edges
+| sqlite3.rb:25:5:25:12 | category | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | provenance | AdditionalTaintStep |
+| sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:25:16:25:32 | ...[...] | provenance |  |
+| sqlite3.rb:25:16:25:32 | ...[...] | sqlite3.rb:25:5:25:12 | category | provenance |  |
+nodes
+| sqlite3.rb:25:5:25:12 | category | semmle.label | category |
+| sqlite3.rb:25:16:25:21 | call to params | semmle.label | call to params |
+| sqlite3.rb:25:16:25:32 | ...[...] | semmle.label | ...[...] |
+| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
+subpaths
diff --git a/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.qlref b/ruby/ql/test/library-tests/frameworks/sqlite3/SqlInjection.qlref
@@ -0,0 +1,4 @@
+query: queries/security/cwe-089/SqlInjection.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
diff --git a/ruby/ql/test/library-tests/frameworks/sqlite3/sqlite3.rb b/ruby/ql/test/library-tests/frameworks/sqlite3/sqlite3.rb
@@ -20,12 +20,16 @@
 end
 
 
-class MyDatabaseWrapper
-      def initialize(filename)
-      @db = SQLite3::Database.new(filename, results_as_hash: true)
-    end
-
-    def select_rows(category)
-      @db.execute("select * from table")
-    end
+class SqliteController < ActionController::Base
+  def sqlite3_handler
+    category = params[:category] # $ Source[rb/sql-injection]
+    db = SQLite3::Database.new "test.db"
+
+    # BAD: SQL injection vulnerability
+    db.execute("select * from table where category = '#{category}'") # $ Alert[rb/sql-injection]
+
+    # GOOD: Sanitized by SQLite3::Database.quote
+    sanitized_category = SQLite3::Database.quote(category)
+    db.execute("select * from table where category = '#{sanitized_category}'")
+  end
 end
