Merge pull request #21162 from owen-mc/cpp/mad-barriers

jketema · web-flow · commit e36080061dd2 · 2026-01-23T18:14:01.000+01:00
C++: Allow MaD barriers
diff --git a/cpp/ql/lib/change-notes/2026-01-23-mysql.md b/cpp/ql/lib/change-notes/2026-01-23-mysql.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.
diff --git a/cpp/ql/lib/ext/MySql.model.yml b/cpp/ql/lib/ext/MySql.model.yml
@@ -0,0 +1,14 @@
+# partial model of the MySQL api
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*1]", "sql-injection", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*1]", "sql-injection", "manual"]
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
@@ -16,17 +16,3 @@ private class MySqlExecutionFunction extends SqlExecutionFunction {
 
   override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -51,6 +51,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
       input.isParameterDeref(arg) and
       sql.barrierSqlArgument(input, _)
     )
+    or
+    // barrier defined using models-as-data
+    barrierNode(node, "sql-injection")
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.
Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {`
`51`	`51`	`input.isParameterDeref(arg) and`
`52`	`52`	`sql.barrierSqlArgument(input, _)`
`53`	`53`	`)`
	`54`	`+ or`
	`55`	`+ // barrier defined using models-as-data`
	`56`	`+ barrierNode(node, "sql-injection")`
`54`	`57`	`}`
`55`	`58`
`56`	`59`	`predicate observeDiffInformedIncrementalMode() { any() }`