C++: Make the new SQL abstract classes extend 'Function' instead. This is more in line with how we model RemoteFlowFunction.

MathiasVP · MathiasVP · commit 90633b9ce131 · 2021-06-23T11:49:51.000+02:00
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -16,7 +16,6 @@ import cpp
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.TaintTracking
-import semmle.code.cpp.security.Sql
 import TaintedWithPath
 
 class SQLLikeFunction extends FunctionWithWrappers {
@@ -35,10 +34,10 @@ class Configuration extends TaintTrackingConfiguration {
     or
     e.getUnspecifiedType() instanceof IntegralType
     or
-    exists(SqlFunctionality sql, int arg, Function func, FunctionInput input |
-      e = func.getACallToThisFunction().getArgument(arg) and
+    exists(SqlBarrier sqlFunc, int arg, FunctionInput input |
+      e = sqlFunc.getACallToThisFunction().getArgument(arg) and
       input.isParameterDeref(arg) and
-      sql.getAnEscapedParameter(func, input, _)
+      sqlFunc.getAnEscapedParameter(input, _)
     )
   }
 }
diff --git a/cpp/ql/src/semmle/code/cpp/models/Models.qll b/cpp/ql/src/semmle/code/cpp/models/Models.qll
@@ -33,3 +33,6 @@ private import implementations.Recv
 private import implementations.Accept
 private import implementations.Poll
 private import implementations.Select
+private import implementations.MySql
+private import implementations.SqLite3
+private import implementations.PostgreSql
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/MySql.qll
@@ -0,0 +1,8 @@
+private import semmle.code.cpp.models.interfaces.Sql
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+
+private class MySqlSink extends SqlSink {
+  MySqlSink() { this.hasName(["mysql_query", "mysql_real_query"]) }
+
+  override predicate getAnSqlParameter(FunctionInput input) { input.isParameterDeref(1) }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/PostgreSql.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/PostgreSql.qll
@@ -0,0 +1,93 @@
+private import semmle.code.cpp.models.interfaces.Sql
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+
+private predicate pqxxTransactionSqlArgument(string function, int arg) {
+  function = "exec" and arg = 0
+  or
+  function = "exec0" and arg = 0
+  or
+  function = "exec1" and arg = 0
+  or
+  function = "exec_n" and arg = 1
+  or
+  function = "exec_params" and arg = 0
+  or
+  function = "exec_params0" and arg = 0
+  or
+  function = "exec_params1" and arg = 0
+  or
+  function = "exec_params_n" and arg = 1
+  or
+  function = "query_value" and arg = 0
+  or
+  function = "stream" and arg = 0
+}
+
+private predicate pqxxConnectionSqlArgument(string function, int arg) {
+  function = "prepare" and arg = 1
+}
+
+private predicate pqxxTransationClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in [
+      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
+      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
+    ]
+}
+
+private predicate pqxxConnectionClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in ["connection_base", "basic_connection", "connection"]
+}
+
+private predicate pqxxEscapeArgument(string function, int arg) {
+  arg = 0 and
+  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
+}
+
+private class PostgreSqlSink extends SqlSink {
+  PostgreSqlSink() {
+    exists(Class c |
+      this.getDeclaringType() = c and
+      // transaction exec and connection prepare variations
+      (
+        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) and
+        pqxxTransactionSqlArgument(this.getName(), _)
+        or
+        pqxxConnectionSqlArgument(this.getName(), _) and
+        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
+      )
+    )
+  }
+
+  override predicate getAnSqlParameter(FunctionInput input) {
+    exists(int argIndex |
+      pqxxTransactionSqlArgument(this.getName(), argIndex)
+      or
+      pqxxConnectionSqlArgument(this.getName(), argIndex)
+    |
+      input.isParameterDeref(argIndex)
+    )
+  }
+}
+
+private class PostgreSqlBarrier extends SqlBarrier {
+  PostgreSqlBarrier() {
+    exists(Class c |
+      this.getDeclaringType() = c and
+      // transaction and connection escape functions
+      (
+        pqxxTransationClassNames(c.getName(), c.getNamespace().getName()) or
+        pqxxConnectionClassNames(c.getName(), c.getNamespace().getName())
+      ) and
+      pqxxEscapeArgument(this.getName(), _)
+    )
+  }
+
+  override predicate getAnEscapedParameter(FunctionInput input, FunctionOutput output) {
+    exists(int argIndex |
+      input.isParameterDeref(argIndex) and
+      output.isReturnValueDeref()
+    )
+  }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/implementations/SqLite3.qll b/cpp/ql/src/semmle/code/cpp/models/implementations/SqLite3.qll
@@ -0,0 +1,8 @@
+private import semmle.code.cpp.models.interfaces.Sql
+private import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
+
+private class SqLite3Sink extends SqlSink {
+  SqLite3Sink() { this.hasName("sqlite3_exec") }
+
+  override predicate getAnSqlParameter(FunctionInput input) { input.isParameterDeref(1) }
+}
diff --git a/cpp/ql/src/semmle/code/cpp/models/interfaces/Sql.qll b/cpp/ql/src/semmle/code/cpp/models/interfaces/Sql.qll
@@ -0,0 +1,30 @@
+/**
+ * Provides abstract classes for modeling functions that execute and escape SQL query strings.
+ * To use this QL library, create a QL class extending `SqlSink` or `SqlBarrier` with a
+ * characteristic predicate that selects the function or set of functions you are modeling.
+ * Within that class, override the predicates provided by the class to match the way a
+ * parameter flows into the function and, in the case of `SqlBarrier`, out of the function.
+ */
+
+private import cpp
+
+/**
+ * An abstract class that represents a function that executes an SQL query.
+ */
+abstract class SqlSink extends Function {
+  /**
+   * Holds if `input` to this function represents data that is passed to an SQL server.
+   */
+  abstract predicate getAnSqlParameter(FunctionInput input);
+}
+
+/**
+ * An abstract class that represents a function that escapes an SQL query string.
+ */
+abstract class SqlBarrier extends Function {
+  /**
+   * Holds if the `output` escapes the SQL input `input` such that is it safe to pass to
+   * an `SqlSink`.
+   */
+  abstract predicate getAnEscapedParameter(FunctionInput input, FunctionOutput output);
+}
diff --git a/cpp/ql/src/semmle/code/cpp/security/Security.qll b/cpp/ql/src/semmle/code/cpp/security/Security.qll
@@ -7,7 +7,7 @@ import semmle.code.cpp.exprs.Expr
 import semmle.code.cpp.commons.Environment
 import semmle.code.cpp.security.SecurityOptions
 import semmle.code.cpp.models.interfaces.FlowSource
-private import Sql
+import semmle.code.cpp.models.interfaces.Sql
 
 /**
  * Extend this class to customize the security queries for
@@ -35,10 +35,10 @@ class SecurityOptions extends string {
    * An argument to a function that is passed to a SQL server.
    */
   predicate sqlArgument(string function, int arg) {
-    exists(Function func, FunctionInput input, SqlFunctionality sql |
-      func.hasName(function) and
+    exists(FunctionInput input, SqlSink sqlSink |
+      sqlSink.hasName(function) and
       input.isParameterDeref(arg) and
-      sql.getAnSqlParameter(func, input)
+      sqlSink.getAnSqlParameter(input)
     )
   }
 
diff --git a/cpp/ql/src/semmle/code/cpp/security/Sql.qll b/cpp/ql/src/semmle/code/cpp/security/Sql.qll
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -5,14 +5,14 @@ edges
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 indirection |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | (const char *)... |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | (const char *)... |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array indirection |
-| test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array indirection |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | (const char *)... |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | (const char *)... |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array indirection |
+| test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array indirection |
 nodes
 | test.c:15:20:15:23 | argv | semmle.label | argv |
 | test.c:15:20:15:23 | argv | semmle.label | argv |
@@ -21,15 +21,15 @@ nodes
 | test.c:21:18:21:23 | query1 | semmle.label | query1 |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
 | test.c:21:18:21:23 | query1 indirection | semmle.label | query1 indirection |
-| test.cpp:44:27:44:30 | argv | semmle.label | argv |
-| test.cpp:44:27:44:30 | argv | semmle.label | argv |
-| test.cpp:44:27:44:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:44:27:44:33 | (const char *)... | semmle.label | (const char *)... |
-| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
-| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
-| test.cpp:44:27:44:33 | access to array | semmle.label | access to array |
-| test.cpp:44:27:44:33 | access to array indirection | semmle.label | access to array indirection |
-| test.cpp:44:27:44:33 | access to array indirection | semmle.label | access to array indirection |
+| test.cpp:43:27:43:30 | argv | semmle.label | argv |
+| test.cpp:43:27:43:30 | argv | semmle.label | argv |
+| test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:27:43:33 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
+| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
+| test.cpp:43:27:43:33 | access to array | semmle.label | access to array |
+| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
+| test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
 #select
 | test.c:21:18:21:23 | query1 | test.c:15:20:15:23 | argv | test.c:21:18:21:23 | query1 | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg) | test.c:15:20:15:23 | argv | user input (argv) |
-| test.cpp:44:27:44:33 | access to array | test.cpp:44:27:44:30 | argv | test.cpp:44:27:44:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)) | test.cpp:44:27:44:30 | argv | user input (argv) |
+| test.cpp:43:27:43:33 | access to array | test.cpp:43:27:43:30 | argv | test.cpp:43:27:43:33 | access to array | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)) | test.cpp:43:27:43:30 | argv | user input (argv) |
