C++: Add additional functions to the SQL models

rdmarsh2 · rdmarsh2 · commit 3108817717d6 · 2021-09-21T17:34:01.000-07:00
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
@@ -1,8 +1,32 @@
+/**
+ * Provides implementation classes modeling the MySql C API.
+ * See `semmle.code.cpp.models.Models` for usage information.
+ */
+
 private import semmle.code.cpp.models.interfaces.Sql
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
+/**
+ * The `mysql_query` family of functions from the MySQL C API.
+ */
 private class MySqlExecutionFunction extends SqlExecutionFunction {
-  MySqlExecutionFunction() { this.hasName(["mysql_query", "mysql_real_query"]) }
+  MySqlExecutionFunction() {
+    this.hasName(["mysql_query", "mysql_real_query", "mysql_real_query_nonblocking"])
+  }
 
   override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
+
+/**
+ * The `mysql_real_escape_string` family of functions from the MySQL C API.
+ */
+private class MySqlBarrierFunction extends SqlBarrierFunction {
+  MySqlBarrierFunction() {
+    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
+  }
+
+  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref(2) and
+    output.isParameterDeref(1)
+  }
+}
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/SqLite3.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/SqLite3.qll
@@ -1,8 +1,21 @@
+/**
+ * Provides implementation classes modeling the SQLite C API.
+ * See `semmle.code.cpp.models.Models` for usage information.
+ */
+
 private import semmle.code.cpp.models.interfaces.Sql
 private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
+/**
+ * The `sqlite3_exec` and `sqlite3_prepare` families of functions from the SQLite C API.
+ */
 private class SqLite3ExecutionFunction extends SqlExecutionFunction {
-  SqLite3ExecutionFunction() { this.hasName("sqlite3_exec") }
+  SqLite3ExecutionFunction() {
+    this.hasName([
+        "sqlite3_exec", "sqlite3_prepare", "sqlite3_prepare_v2", "sqlite3_prepare_v3",
+        "sqlite3_prepare16", "sqlite3_prepare16_v2", "sqlite3_prepare16_v3"
+      ])
+  }
 
   override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
