Merge pull request github#5860 from max-schaefer/js/improve-sql-modelling

codeql-ci · web-flow · commit a87731115afd · 2021-05-11T02:24:52.000-07:00
Approved by asgerf
diff --git a/javascript/change-notes/2021-05-10-sqlite3-chaining.md b/javascript/change-notes/2021-05-10-sqlite3-chaining.md
@@ -0,0 +1,3 @@
+lgtm,codescanning
+* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
+  additional results from the `js/sql-injection` query.
diff --git a/javascript/ql/src/semmle/javascript/frameworks/SQL.qll b/javascript/ql/src/semmle/javascript/frameworks/SQL.qll
@@ -341,18 +341,28 @@ private module Sqlite {
     result = sqlite().getMember("verbose").getReturn()
   }
 
-  /** Gets an expression that constructs a Sqlite database instance. */
+  /** Gets an expression that constructs or returns a Sqlite database instance. */
   API::Node database() {
     // new require('sqlite3').Database()
     result = sqlite().getMember("Database").getInstance()
     or
+    // chained call
+    result = getAChainingQueryCall()
+    or
     result = API::Node::ofType("sqlite3", "Database")
   }
 
+  /** A call to a query method on a Sqlite database instance that returns the same instance. */
+  private API::Node getAChainingQueryCall() {
+    result = database().getMember(["all", "each", "exec", "get", "run"]).getReturn()
+  }
+
   /** A call to a Sqlite query method. */
   private class QueryCall extends DatabaseAccess, DataFlow::MethodCallNode {
     QueryCall() {
-      this = database().getMember(["all", "each", "exec", "get", "prepare", "run"]).getACall()
+      this = getAChainingQueryCall().getAnImmediateUse()
+      or
+      this = database().getMember("prepare").getACall()
     }
 
     override DataFlow::Node getAQueryArgument() { result = getArgument(0) }
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected b/javascript/ql/test/library-tests/frameworks/SQL/SqlString.expected
@@ -66,5 +66,6 @@
 | spannerImport.js:4:8:4:17 | "SQL code" |
 | sqlite-types.ts:4:12:4:49 | "UPDATE ... id = ?" |
 | sqlite.js:7:8:7:45 | "UPDATE ... id = ?" |
+| sqlite.js:8:8:8:45 | "UPDATE ... id = ?" |
 | sqliteArray.js:6:12:6:49 | "UPDATE ... id = ?" |
 | sqliteImport.js:2:8:2:44 | "UPDATE ... id = ?" |
diff --git a/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js b/javascript/ql/test/library-tests/frameworks/SQL/sqlite.js
@@ -4,6 +4,7 @@
 var sqlite = require('sqlite3');
 
 var db = new sqlite.Database(":memory:");
-db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2);
+db.run("UPDATE tbl SET name = ? WHERE id = ?", "bar", 2)
+  .run("UPDATE tbl SET name = ? WHERE id = ?", "foo", 3);
 
 exports.db = db;

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+lgtm,codescanning`
	`2`	+* Modelling of chaining methods in the `sqlite3` package has improved, which may lead to
	`3`	+ additional results from the `js/sql-injection` query.