From 656ebab776dd22664b79e0efddeeaa294c1b1d9d Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 13 Jan 2026 14:40:35 +0000 Subject: [PATCH 1/3] Allow MaD barriers This commit was done by Opus 4.5 with the following prompt: In the commit 004d40ee931 I have made it so that C# CodeQL queries which use sinks defined using data extensions (also known as "models-as-data"), which are accessed using `sinkNode(Node node, string kind)`, also use barriers defined using models-as-data, which are accessed using `barrierNode(Node node, string kind)`, with the same `kind` string. Please do the same for C++. If there are any complicated cases then list them at the end for me to do manually. --- cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql index 5d08afbe304a..8b04b986b891 100644 --- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql +++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql @@ -45,6 +45,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig { predicate isBarrier(DataFlow::Node node) { node.asExpr().getUnspecifiedType() instanceof IntegralType + or + // barrier defined using models-as-data + barrierNode(node, "sql-injection") } predicate isBarrierIn(DataFlow::Node node) { From ecd247bf1655a881652ef24ee8ec67137d1b80a9 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 23 Jan 2026 11:31:15 +0100 Subject: [PATCH 2/3] C++: Add MaD models for MySQL escaping --- cpp/ql/lib/ext/MySql.model.yml | 14 ++++++++++++++ .../code/cpp/models/implementations/MySql.qll | 14 -------------- 2 files changed, 14 insertions(+), 14 deletions(-) create mode 100644 cpp/ql/lib/ext/MySql.model.yml diff --git a/cpp/ql/lib/ext/MySql.model.yml b/cpp/ql/lib/ext/MySql.model.yml new file mode 100644 index 000000000000..93608177efdc --- /dev/null +++ b/cpp/ql/lib/ext/MySql.model.yml @@ -0,0 +1,14 @@ +# partial model of the MySQL api +extensions: + - addsTo: + pack: codeql/cpp-all + extensible: summaryModel + data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance + - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"] + - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"] + - addsTo: + pack: codeql/cpp-all + extensible: barrierModel + data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance + - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*1]", "sql-injection", "manual"] + - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*1]", "sql-injection", "manual"] diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll index ca5d7020158c..b3fc722b0ed0 100644 --- a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll +++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll @@ -16,17 +16,3 @@ private class MySqlExecutionFunction extends SqlExecutionFunction { override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) } } - -/** - * The `mysql_real_escape_string` family of functions from the MySQL C API. - */ -private class MySqlBarrierFunction extends SqlBarrierFunction { - MySqlBarrierFunction() { - this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"]) - } - - override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) { - input.isParameterDeref(2) and - output.isParameterDeref(1) - } -} From 7ed1c0a2eed2d8e0998ccc0f8d20bc4928977337 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Fri, 23 Jan 2026 14:09:10 +0100 Subject: [PATCH 3/3] C++: Add change note --- cpp/ql/lib/change-notes/2026-01-23-mysql.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/lib/change-notes/2026-01-23-mysql.md diff --git a/cpp/ql/lib/change-notes/2026-01-23-mysql.md b/cpp/ql/lib/change-notes/2026-01-23-mysql.md new file mode 100644 index 000000000000..ee4268f8152c --- /dev/null +++ b/cpp/ql/lib/change-notes/2026-01-23-mysql.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.