Skip to content

Commit c667894

Browse files
MathiasVPMathiasVP
committed
PS: Add query test for the new SQL injection query.
1 parent e4d5b1e commit c667894

File tree

3 files changed

+74
-0
lines changed

3 files changed

+74
-0
lines changed

powershell/ql/test/query-tests/security/cwe-089/SqlInjection.expected

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
edges
2+
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | provenance | Src:MaD:11464 |
3+
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:9:72:9:77 | query | provenance | Src:MaD:11464 |
4+
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | Src:MaD:11464 |
5+
| test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | provenance | Src:MaD:11464 |
6+
nodes
7+
| test.ps1:1:14:1:45 | Call to read-host | semmle.label | Call to read-host |
8+
| test.ps1:5:72:5:77 | query | semmle.label | query |
9+
| test.ps1:9:72:9:77 | query | semmle.label | query |
10+
| test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$userinput' |
11+
| test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | semmle.label | SELECT * FROM MyTable WHERE MyColumn = '$userinput' |
12+
subpaths
13+
#select
14+
| test.ps1:5:72:5:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:5:72:5:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
15+
| test.ps1:9:72:9:77 | query | test.ps1:1:14:1:45 | Call to read-host | test.ps1:9:72:9:77 | query | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
16+
| test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:17:24:17:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |
17+
| test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | test.ps1:1:14:1:45 | Call to read-host | test.ps1:28:24:28:76 | SELECT * FROM MyTable WHERE MyColumn = '$userinput' | This SQL query depends on a $@. | test.ps1:1:14:1:45 | Call to read-host | user-provided value |

powershell/ql/test/query-tests/security/cwe-089/SqlInjection.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
queries/security/cwe-089/SqlInjection.ql

powershell/ql/test/query-tests/security/cwe-089/test.ps1

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
$userinput = Read-Host "Please enter a value"
2+
3+
# Example using Invoke-Sqlcmd with string interpolation
4+
$query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'"
5+
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # BAD
6+
7+
# Example using Invoke-Sqlcmd with string concatenation
8+
$query = "SELECT * FROM MyTable WHERE " + $userinput
9+
Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query # BAD
10+
11+
#Example using System.Data.SqlClient
12+
$connection = New-Object System.Data.SqlClient.SqlConnection
13+
$connection.ConnectionString = "Server=MyServer;Database=MyDatabase;"
14+
$connection.Open()
15+
16+
$command = $connection.CreateCommand()
17+
$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # BAD
18+
$reader = $command.ExecuteReader()
19+
$reader.Close()
20+
$connection.Close()
21+
22+
# Example using System.Data.OleDb
23+
$connection = New-Object System.Data.OleDb.OleDbConnection
24+
$connection.ConnectionString = "Provider=SQLOLEDB;Data Source=MyServer;Initial Catalog=MyDatabase;"
25+
$connection.Open()
26+
27+
$command = $connection.CreateCommand()
28+
$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" # BAD
29+
$reader = $command.ExecuteReader()
30+
$reader.Close()
31+
$connection.Close()
32+
33+
# Example using System.Data.SqlClient with parameters
34+
$connection = New-Object System.Data.SqlClient.SqlConnection
35+
$connection.ConnectionString = "Server=MyServer;Database=MyDatabase;"
36+
$connection.Open()
37+
38+
$command = $connection.CreateCommand()
39+
$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = @userinput"
40+
$parameter = $command.Parameters.Add("@userinput", [System.Data.SqlDbType]::NVarChar)
41+
$parameter.Value = $userinput # GOOD
42+
$reader = $command.ExecuteReader()
43+
$reader.Close()
44+
$connection.Close()
45+
46+
# Example using System.Data.OleDb with parameters
47+
$connection = New-Object System.Data.OleDb.OleDbConnection
48+
$connection.ConnectionString = "Provider=SQLOLEDB;Data Source=MyServer;Initial Catalog=MyDatabase;"
49+
$connection.Open()
50+
$command = $connection.CreateCommand()
51+
$command.CommandText = "SELECT * FROM MyTable WHERE MyColumn = ?"
52+
$parameter = $command.Parameters.Add("?", [System.Data.OleDb.OleDbType]::VarChar)
53+
$parameter.Value = $userinput # GOOD
54+
$reader = $command.ExecuteReader()
55+
$reader.Close()
56+
$connection.Close()

0 commit comments

Comments
 (0)