Skip to content

Commit 5df695b

Browse files
committed
Move SQLite3 flow model to MaD and remove ql sanitizer
1 parent 1fa183e commit 5df695b

File tree

3 files changed

+19
-22
lines changed

3 files changed

+19
-22
lines changed
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
extensions:
2+
- addsTo:
3+
pack: codeql/ruby-all
4+
extensible: summaryModel
5+
data:
6+
- ['SQLite3::Database!', 'Method[quote]', 'Argument[0]', 'ReturnValue', 'taint']

ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll

Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -76,26 +76,4 @@ module Sqlite3 {
7676

7777
override DataFlow::Node getSql() { result = this.getArgument(0) }
7878
}
79-
80-
/**
81-
* A call to `SQLite3::Database.quote`, considered as a sanitizer for SQL statements.
82-
*/
83-
private class SQLite3QuoteSanitization extends SqlSanitization {
84-
SQLite3QuoteSanitization() {
85-
this = API::getTopLevelMember("SQLite3").getMember("Database").getAMethodCall("quote")
86-
}
87-
}
88-
89-
/**
90-
* Flow summary for `SQLite3::Database.quote()`.
91-
*/
92-
private class QuoteSummary extends SummarizedCallable::Range {
93-
QuoteSummary() { this = "SQLite3::Database.quote()" }
94-
95-
override MethodCall getACall() { result = any(SQLite3QuoteSanitization c).asExpr().getExpr() }
96-
97-
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
98-
input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
99-
}
100-
}
10179
}
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,25 @@
11
#select
22
| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
3+
| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:33:16:33:77 | "select * from table where cat..." | This SQL query depends on a $@. | sqlite3.rb:25:16:25:21 | call to params | user-provided value |
34
edges
45
| sqlite3.rb:25:5:25:12 | category | sqlite3.rb:29:16:29:67 | "select * from table where cat..." | provenance | AdditionalTaintStep |
6+
| sqlite3.rb:25:5:25:12 | category | sqlite3.rb:32:50:32:57 | category | provenance | |
57
| sqlite3.rb:25:16:25:21 | call to params | sqlite3.rb:25:16:25:32 | ...[...] | provenance | |
68
| sqlite3.rb:25:16:25:32 | ...[...] | sqlite3.rb:25:5:25:12 | category | provenance | |
9+
| sqlite3.rb:32:5:32:22 | sanitized_category | sqlite3.rb:33:16:33:77 | "select * from table where cat..." | provenance | AdditionalTaintStep |
10+
| sqlite3.rb:32:26:32:58 | call to quote | sqlite3.rb:32:5:32:22 | sanitized_category | provenance | |
11+
| sqlite3.rb:32:50:32:57 | category | sqlite3.rb:32:26:32:58 | call to quote | provenance | MaD:1 |
12+
models
13+
| 1 | Summary: SQLite3::Database!; Method[quote]; Argument[0]; ReturnValue; taint |
714
nodes
815
| sqlite3.rb:25:5:25:12 | category | semmle.label | category |
916
| sqlite3.rb:25:16:25:21 | call to params | semmle.label | call to params |
1017
| sqlite3.rb:25:16:25:32 | ...[...] | semmle.label | ...[...] |
1118
| sqlite3.rb:29:16:29:67 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
19+
| sqlite3.rb:32:5:32:22 | sanitized_category | semmle.label | sanitized_category |
20+
| sqlite3.rb:32:26:32:58 | call to quote | semmle.label | call to quote |
21+
| sqlite3.rb:32:50:32:57 | category | semmle.label | category |
22+
| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | semmle.label | "select * from table where cat..." |
1223
subpaths
24+
testFailures
25+
| sqlite3.rb:33:16:33:77 | "select * from table where cat..." | Unexpected result: Alert |

0 commit comments

Comments
 (0)