Skip to content

Commit

Permalink
Merge pull request #5860 from max-schaefer/js/improve-sql-modelling
Browse files Browse the repository at this point in the history 
Approved by asgerf
  • Loading branch information
@codeql-ci
codeql-ci committed May 11, 2021
2 parents beb66fc + 8f91e9e commit a877311
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 3 deletions.
3 changes: 3 additions & 0 deletions javascript/change-notes/2021-05-10-sqlite3-chaining.md
View file
@@ -0,0 +1,3 @@
lgtm,codescanning
* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
additional results from the `js/sql-injection` query.
14 changes: 12 additions & 2 deletions javascript/ql/src/semmle/javascript/frameworks/SQL.qll
View file
Expand Up @@ -341,18 +341,28 @@ private module Sqlite {
result = sqlite().getMember("verbose").getReturn()
}

/** Gets an expression that constructs a Sqlite database instance. */
/** Gets an expression that constructs or returns a Sqlite database instance. */
API::Node database() {
// new require('sqlite3').Database()
result = sqlite().getMember("Database").getInstance()
or
// chained call
result = getAChainingQueryCall()
or
result = API::Node::ofType("sqlite3", "Database")
}

/** A call to a query method on a Sqlite database instance that returns the same instance. */
private API::Node getAChainingQueryCall() {
result = database().getMember(["all", "each", "exec", "get", "run"]).getReturn()
}

/** A call to a Sqlite query method. */
private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
QueryCall() {
this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
this = getAChainingQueryCall().getAnImmediateUse()
or
this = database().getMember("prepare").getACall()
}

override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
Expand Down
1 change: 1 addition & 0 deletions javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
View file
Expand Up @@ -66,5 +66,6 @@
| spannerImport.js:4:8:4:17 | "SQL code" |
| sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
| sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
| sqlite.js:8:8:8:45 | "UPDATE ... id = ?" |
| sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
| sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
3 changes: 2 additions & 1 deletion javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
View file
Expand Up @@ -4,6 +4,7 @@
var sqlite = require('sqlite3');

var db = new sqlite.Database(":memory:");
db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2)
.run("UPDATE tbl SET name = ? WHERE id = ?", "foo", 3);

exports.db = db;

0 comments on commit a877311

Please sign in to comment.