Modeled execute as potential hana's sink.

Napalys · Napalys · commit e595def8b039 · 2025-03-25T14:44:37.000+01:00
diff --git a/javascript/ql/lib/ext/hana-db-client.model.yml b/javascript/ql/lib/ext/hana-db-client.model.yml
@@ -5,4 +5,4 @@ extensions:
     data:
       - ["@sap/hana-client", "Member[createConnection].ReturnValue.Member[exec,prepare].Argument[0]", "sql-injection"]
 
-      - ["hdb", "Member[createClient].ReturnValue.Member[exec,prepare].Argument[0]", "sql-injection"]
+      - ["hdb", "Member[createClient].ReturnValue.Member[exec,prepare,execute].Argument[0]", "sql-injection"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -19,6 +19,7 @@
 | hana.js:74:17:74:54 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:74:17:74:54 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
 | hana.js:76:20:76:73 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:76:20:76:73 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
 | hana.js:80:20:80:69 | 'call P ... usInput | hana.js:68:24:68:31 | req.body | hana.js:80:20:80:69 | 'call P ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
+| hana.js:84:20:84:78 | 'select ... usInput | hana.js:68:24:68:31 | req.body | hana.js:84:20:84:78 | 'select ... usInput | This query string depends on a $@. | hana.js:68:24:68:31 | req.body | user-provided value |
 | html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:16:9:16:59 | `SELECT ...  param1 | This query string depends on a $@. | html-sanitizer.js:13:39:13:44 | param1 | user-provided value |
 | json-schema-validator.js:33:22:33:26 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:33:22:33:26 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
 | json-schema-validator.js:35:18:35:22 | query | json-schema-validator.js:25:34:25:47 | req.query.data | json-schema-validator.js:35:18:35:22 | query | This query object depends on a $@. | json-schema-validator.js:25:34:25:47 | req.query.data | user-provided value |
@@ -179,12 +180,14 @@ edges
 | hana.js:68:7:68:36 | maliciousInput | hana.js:74:41:74:54 | maliciousInput | provenance |  |
 | hana.js:68:7:68:36 | maliciousInput | hana.js:76:60:76:73 | maliciousInput | provenance |  |
 | hana.js:68:7:68:36 | maliciousInput | hana.js:80:56:80:69 | maliciousInput | provenance |  |
+| hana.js:68:7:68:36 | maliciousInput | hana.js:84:65:84:78 | maliciousInput | provenance |  |
 | hana.js:68:24:68:31 | req.body | hana.js:68:7:68:36 | maliciousInput | provenance |  |
 | hana.js:71:86:71:99 | maliciousInput | hana.js:71:44:71:99 | "INSERT ... usInput | provenance |  |
 | hana.js:73:41:73:54 | maliciousInput | hana.js:73:17:73:54 | 'select ... usInput | provenance |  |
 | hana.js:74:41:74:54 | maliciousInput | hana.js:74:17:74:54 | 'select ... usInput | provenance |  |
 | hana.js:76:60:76:73 | maliciousInput | hana.js:76:20:76:73 | 'select ... usInput | provenance |  |
 | hana.js:80:56:80:69 | maliciousInput | hana.js:80:20:80:69 | 'call P ... usInput | provenance |  |
+| hana.js:84:65:84:78 | maliciousInput | hana.js:84:20:84:78 | 'select ... usInput | provenance |  |
 | html-sanitizer.js:13:39:13:44 | param1 | html-sanitizer.js:14:18:14:23 | param1 | provenance |  |
 | html-sanitizer.js:14:5:14:24 | param1 | html-sanitizer.js:16:54:16:59 | param1 | provenance |  |
 | html-sanitizer.js:14:14:14:24 | xss(param1) | html-sanitizer.js:14:5:14:24 | param1 | provenance |  |
@@ -566,6 +569,8 @@ nodes
 | hana.js:76:60:76:73 | maliciousInput | semmle.label | maliciousInput |
 | hana.js:80:20:80:69 | 'call P ... usInput | semmle.label | 'call P ... usInput |
 | hana.js:80:56:80:69 | maliciousInput | semmle.label | maliciousInput |
+| hana.js:84:20:84:78 | 'select ... usInput | semmle.label | 'select ... usInput |
+| hana.js:84:65:84:78 | maliciousInput | semmle.label | maliciousInput |
 | html-sanitizer.js:13:39:13:44 | param1 | semmle.label | param1 |
 | html-sanitizer.js:14:5:14:24 | param1 | semmle.label | param1 |
 | html-sanitizer.js:14:14:14:24 | xss(param1) | semmle.label | xss(param1) |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/hana.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/hana.js
@@ -81,6 +81,6 @@ app2.post('/documents/find', (req, res) => {
       statement.exec({A: 3, B: maliciousInput}, function(err, parameters, dummyRows, tableRows) {}); 
     });
 
-    client.execute('select A, B from TEST.NUMBERS order by A' + maliciousInput, function(err, rs) {}); // $ MISSING: Alert
+    client.execute('select A, B from TEST.NUMBERS order by A' + maliciousInput, function(err, rs) {}); // $ Alert
   });
 });
