C++: Support SQL Injection sinks for Oracle Call Interface (OCI)

ebickle · ebickle · commit 32464a899531 · 2025-06-20T06:05:24.000-07:00
diff --git a/cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md b/cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.
diff --git a/cpp/ql/lib/ext/Oracle.oci.model.yml b/cpp/ql/lib/ext/Oracle.oci.model.yml
@@ -0,0 +1,8 @@
+# partial model of the Oracle Call Interface (OCI) library
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sinkModel
+    data: # namespace, type, subtypes, name, signature, ext, input, kind, provenance
+      - ["", "", False, "OCIStmtPrepare", "", "", "Argument[*2]", "sql-injection", "manual"]
+      - ["", "", False, "OCIStmtPrepare2", "", "", "Argument[*3]", "sql-injection", "manual"]
diff --git a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -38,6 +38,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {
 
   predicate isSink(DataFlow::Node node) {
     exists(SqlLikeFunction runSql | runSql.outermostWrapperFunctionCall(asSinkExpr(node), _))
+    or
+    // sink defined using models-as-data
+    sinkNode(node, "sql-injection")
   }
 
   predicate isBarrier(DataFlow::Node node) {
diff --git a/cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md b/cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `cpp/sql-injection` now can be extended using the `sql-injection` Models as Data (MaD) sink kind.
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected
@@ -9,6 +9,8 @@ edges
 | test.c:48:20:48:33 | *globalUsername | test.c:51:18:51:23 | *query1 | provenance | TaintFunction |
 | test.c:75:8:75:16 | gets output argument | test.c:76:17:76:25 | *userInput | provenance |  |
 | test.c:75:8:75:16 | gets output argument | test.c:77:20:77:28 | *userInput | provenance |  |
+| test.c:101:8:101:16 | gets output argument | test.c:106:24:106:29 | *query1 | provenance | TaintFunction Sink:MaD:325 |
+| test.c:101:8:101:16 | gets output argument | test.c:107:28:107:33 | *query1 | provenance | TaintFunction Sink:MaD:326 |
 | test.cpp:39:27:39:30 | **argv | test.cpp:43:27:43:33 | *access to array | provenance |  |
 nodes
 | test.c:14:27:14:30 | **argv | semmle.label | **argv |
@@ -23,6 +25,9 @@ nodes
 | test.c:75:8:75:16 | gets output argument | semmle.label | gets output argument |
 | test.c:76:17:76:25 | *userInput | semmle.label | *userInput |
 | test.c:77:20:77:28 | *userInput | semmle.label | *userInput |
+| test.c:101:8:101:16 | gets output argument | semmle.label | gets output argument |
+| test.c:106:24:106:29 | *query1 | semmle.label | *query1 |
+| test.c:107:28:107:33 | *query1 | semmle.label | *query1 |
 | test.cpp:39:27:39:30 | **argv | semmle.label | **argv |
 | test.cpp:43:27:43:33 | *access to array | semmle.label | *access to array |
 subpaths
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c
@@ -75,4 +75,41 @@ void ODBCTests(){
   gets(userInput);
   SQLPrepare(0, userInput, 100); // BAD
   SQLExecDirect(0, userInput, 100); // BAD
+}
+
+// Oracle Call Interface (OCI) Routines
+int OCIStmtPrepare(
+      void *arg0,
+      void *arg1,
+      const unsigned char *sql,
+      unsigned int arg3,
+      unsigned int arg4,
+      unsigned int arg5);
+int OCIStmtPrepare2(
+      void *arg0,
+      void **arg1,
+      void *arg2,
+      const unsigned char *sql,
+      unsigned int arg4,
+      const unsigned char *arg5,
+      unsigned int arg6,
+      unsigned int arg7,
+      unsigned int arg8);
+
+void OCITests(){
+  char userInput[100];
+  gets(userInput);
+
+  // a string from the user is injected directly into an SQL query.
+  char query1[1000] = {0};
+  snprintf(query1, 1000, "SELECT UID FROM USERS where name = \"%s\"", userInput);
+  OCIStmtPrepare(0, 0, query1, 0, 0, 0); // BAD
+  OCIStmtPrepare2(0, 0, 0, query1, 0, 0, 0, 0, 0); // BAD
+
+  // an integer from the user is injected into an SQL query.
+  int userNumber = atoi(userInput);
+  char query2[1000] = {0};
+  snprintf(query2, 1000, "SELECT UID FROM USERS where number = \"%i\"", userNumber);
+  OCIStmtPrepare(0, 0, query2, 0, 0, 0); // GOOD
+  OCIStmtPrepare2(0, 0, 0, query2, 0, 0, 0, 0, 0); // GOOD
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,9 @@ module SqlTaintedConfig implements DataFlow::ConfigSig {`
`38`	`38`
`39`	`39`	`predicate isSink(DataFlow::Node node) {`
`40`	`40`	`exists(SqlLikeFunction runSql \| runSql.outermostWrapperFunctionCall(asSinkExpr(node), _))`
	`41`	`+ or`
	`42`	`+ // sink defined using models-as-data`
	`43`	`+ sinkNode(node, "sql-injection")`
`41`	`44`	`}`
`42`	`45`
`43`	`46`	`predicate isBarrier(DataFlow::Node node) {`