C++: Use the new SQL interface in 'Security.qll' and 'SqlTainted.ql'.

Author: MathiasVP

cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql

@@ -16,6 +16,7 @@ import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.security.Sql
 import TaintedWithPath
 
 class SQLLikeFunction extends FunctionWithWrappers {
@@ -30,7 +31,15 @@ class Configuration extends TaintTrackingConfiguration {
   }
 
   override predicate isBarrier(Expr e) {
-    super.isBarrier(e) or e.getUnspecifiedType() instanceof IntegralType
+    super.isBarrier(e)
+    or
+    e.getUnspecifiedType() instanceof IntegralType
+    or
+    exists(SqlFunctionality sql, int arg, Function func, FunctionInput input |
+      e = func.getACallToThisFunction().getArgument(arg) and
+      input.isParameterDeref(arg) and
+      sql.getAnEscapedParameter(func, input, _)
+    )
   }
 }
 

cpp/ql/src/semmle/code/cpp/security/Security.qll

@@ -7,6 +7,7 @@ import semmle.code.cpp.exprs.Expr
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.SecurityOptions
 import semmle.code.cpp.models.interfaces.FlowSource
+private import Sql
 
 /**
  * Extend this class to customize the security queries for
@@ -34,13 +35,11 @@ class SecurityOptions extends string {
    * An argument to a function that is passed to a SQL server.
    */
   predicate sqlArgument(string function, int arg) {
-    // MySQL C API
-    function = "mysql_query" and arg = 1
-    or
-    function = "mysql_real_query" and arg = 1
-    or
-    // SQLite3 C API
-    function = "sqlite3_exec" and arg = 1
+    exists(Function func, FunctionInput input, SqlFunctionality sql |
+      func.hasName(function) and
+      input.isParameterDeref(arg) and
+      sql.getAnSqlParameter(func, input)
+    )
   }
 
   /**