C++: SqlPqxxTainted.ql style fixes

japroc · japroc · commit 55045626df5f · 2021-05-25T22:38:27.000+03:00
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.qhelp
@@ -12,11 +12,11 @@ to <code>sprintf</code>. This leaves the code vulnerable to attack by SQL Inject
 <recommendation>
 
 <p>Use a library routine to escape characters in the user-supplied
-string before converting it to SQL. Use esc and quote pqxx library functions.</p>
+string before converting it to SQL. Use <code>esc</code> and <code>quote</code> pqxx library functions.</p>
 
 </recommendation>
 <example>
-<sample src="SqlPqxxTainted.c" />
+<sample src="SqlPqxxTainted.cpp" />
 
 </example>
 <references>
diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql b/cpp/ql/src/experimental/Security/CWE/CWE-089/SqlPqxxTainted.ql
@@ -16,32 +16,17 @@ import semmle.code.cpp.security.Security
 import semmle.code.cpp.dataflow.TaintTracking
 import DataFlow::PathGraph
 
-predicate pqxxTransationClassNames(string class_name, string namespace) {
-  class_name = "dbtransaction" and namespace = "pqxx"
-  or
-  class_name = "nontransaction" and namespace = "pqxx"
-  or
-  class_name = "basic_robusttransaction" and namespace = "pqxx"
-  or
-  class_name = "robusttransaction" and namespace = "pqxx"
-  or
-  class_name = "subtransaction" and namespace = "pqxx"
-  or
-  class_name = "transaction" and namespace = "pqxx"
-  or
-  class_name = "basic_transaction" and namespace = "pqxx"
-  or
-  class_name = "transaction_base" and namespace = "pqxx"
-  or
-  class_name = "work" and namespace = "pqxx"
+predicate pqxxTransationClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in [
+      "dbtransaction", "nontransaction", "basic_robusttransaction", "robusttransaction",
+      "subtransaction", "transaction", "basic_transaction", "transaction_base", "work"
+    ]
 }
 
-predicate pqxxConnectionClassNames(string class_name, string namespace) {
-  class_name = "connection_base" and namespace = "pqxx"
-  or
-  class_name = "basic_connection" and namespace = "pqxx"
-  or
-  class_name = "connection" and namespace = "pqxx"
+predicate pqxxConnectionClassNames(string className, string namespace) {
+  namespace = "pqxx" and
+  className in ["connection_base", "basic_connection", "connection"]
 }
 
 predicate pqxxTransactionSqlArgument(string function, int arg) {
@@ -89,21 +74,7 @@ Expr getPqxxSqlArgument() {
 
 predicate pqxxEscapeArgument(string function, int arg) {
   arg = 0 and
-  (
-    function = "esc"
-    or
-    function = "esc_raw"
-    or
-    function = "quote"
-    or
-    function = "quote_raw"
-    or
-    function = "quote_name"
-    or
-    function = "quote_table"
-    or
-    function = "esc_like"
-  )
+  function in ["esc", "esc_raw", "quote", "quote_raw", "quote_name", "quote_table", "esc_like"]
 }
 
 predicate isEscapedPqxxArgument(Expr argExpr) {
