Adding sql injection test for ODBC.

Author: bdrodes

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected

@@ -4,6 +4,8 @@ edges
 | test.c:35:16:35:23 | userName indirection | test.c:40:25:40:32 | username indirection |
 | test.c:38:7:38:20 | globalUsername indirection | test.c:51:18:51:23 | query1 indirection |
 | test.c:40:25:40:32 | username indirection | test.c:38:7:38:20 | globalUsername indirection |
+| test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | userInput indirection |
+| test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | userInput indirection |
 | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection |
 nodes
 | test.c:14:27:14:30 | argv indirection | semmle.label | argv indirection |
@@ -12,10 +14,15 @@ nodes
 | test.c:38:7:38:20 | globalUsername indirection | semmle.label | globalUsername indirection |
 | test.c:40:25:40:32 | username indirection | semmle.label | username indirection |
 | test.c:51:18:51:23 | query1 indirection | semmle.label | query1 indirection |
+| test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
+| test.c:76:17:76:25 | userInput indirection | semmle.label | userInput indirection |
+| test.c:77:20:77:28 | userInput indirection | semmle.label | userInput indirection |
 | test.cpp:39:27:39:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:43:27:43:33 | access to array indirection | semmle.label | access to array indirection |
 subpaths
 #select
 | test.c:21:18:21:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:21:18:21:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
 | test.c:51:18:51:23 | query1 | test.c:14:27:14:30 | argv indirection | test.c:51:18:51:23 | query1 indirection | This argument to a SQL query function is derived from $@ and then passed to mysql_query(sqlArg). | test.c:14:27:14:30 | argv indirection | user input (a command-line argument) |
+| test.c:76:17:76:25 | userInput | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | userInput indirection | This argument to a SQL query function is derived from $@ and then passed to SQLPrepare(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
+| test.c:77:20:77:28 | userInput | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | userInput indirection | This argument to a SQL query function is derived from $@ and then passed to SQLExecDirect(StatementText). | test.c:75:8:75:16 | gets output argument | user input (string read by gets) |
 | test.cpp:43:27:43:33 | access to array | test.cpp:39:27:39:30 | argv indirection | test.cpp:43:27:43:33 | access to array indirection | This argument to a SQL query function is derived from $@ and then passed to pqxx::work::exec1((unnamed parameter 0)). | test.cpp:39:27:39:30 | argv indirection | user input (a command-line argument) |

cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c

@@ -50,3 +50,29 @@ void badFunc() {
   snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userName);
   mysql_query(0, query1); // BAD
 }
+
+//ODBC Library Rountines
+typedef unsigned char SQLCHAR;
+typedef long int SQLINTEGER;
+typedef int SQLRETURN;
+typedef void* SQLHSTMT;
+
+char* gets(char *str);
+
+
+SQLRETURN SQLPrepare(  
+     SQLHSTMT      StatementHandle,  
+     SQLCHAR *     StatementText,  
+     SQLINTEGER    TextLength);  
+
+     SQLRETURN SQLExecDirect(  
+     SQLHSTMT     StatementHandle,  
+     SQLCHAR *    StatementText,  
+     SQLINTEGER   TextLength);  
+
+void ODBCTests(){
+  char userInput[100];
+  gets(userInput);
+  SQLPrepare(0, userInput, 100); // BAD
+  SQLExecDirect(0, userInput, 100); // BAD
+}