Skip to content

Commit b82bd2c

Browse files
MathiasVPMathiasVP
committed
PS: Add false positive to 'ps/sql-injection'.
1 parent 56977c7 commit b82bd2c

File tree

2 files changed

+8
-1
lines changed

2 files changed

+8
-1
lines changed

powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,15 +3,19 @@ edges
33
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:9:72:9:77 | query | provenance | Src:MaD:0 |
44
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | Src:MaD:0 |
55
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | Src:MaD:0 |
6+
| test.ps1:58:11:58:30 | server_instance | test.ps1:59:31:59:37 | server | provenance | |
67
nodes
78
| test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host |
89
| test.ps1:5:72:5:77 | query | semmle.label | query |
910
| test.ps1:9:72:9:77 | query | semmle.label | query |
1011
| test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$userinput' |
1112
| test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$userinput' |
13+
| test.ps1:58:11:58:30 | server_instance | semmle.label | server_instance |
14+
| test.ps1:59:31:59:37 | server | semmle.label | server |
1215
subpaths
1316
#select
1417
| test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
1518
| test.ps1:9:72:9:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:9:72:9:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
1619
| test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
1720
| test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
21+
| test.ps1:59:31:59:37 | server | test.ps1:58:11:58:30 | server_instance | test.ps1:59:31:59:37 | server | This SQL query depends on a $@. | test.ps1:58:11:58:30 | server_instance | user-provided value |

powershell/ql/test/query-tests/security/cwe-089/test.ps1

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,4 +53,7 @@ $parameter = $command.Parameters.Add("?", [System.Data.OleDb.OleDbType]::VarChar
5353
$parameter.Value = $userinput # GOOD
5454
$reader = $command.ExecuteReader()
5555
$reader.Close()
56-
$connection.Close()
56+
$connection.Close()
57+
58+
$server = $Env:SERVER_INSTANCE
59+
Invoke-Sqlcmd -ServerInstance $server -Database "MyDatabase" -InputFile "Foo/Bar/query.sql" # GOOD [FALSE POSITIVE]

0 commit comments

Comments
 (0)