PS: Add a query for SQL injection.

MathiasVP · MathiasVP · commit e4d5b1e65e2c · 2025-04-29T17:57:43.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll
@@ -0,0 +1,78 @@
+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * SQL-injection vulnerabilities, as well as extension points for
+ * adding your own.
+ */
+
+private import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.ApiGraphs
+private import semmle.code.powershell.dataflow.flowsources.FlowSources
+private import semmle.code.powershell.Cfg
+
+module SqlInjection {
+  /**
+   * A data flow source for SQL-injection vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node {
+    /** Gets a string that describes the type of this flow source. */
+    abstract string getSourceType();
+  }
+
+  /**
+   * A data flow sink for SQL-injection vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    abstract string getSinkType();
+  }
+
+  /**
+   * A sanitizer for SQL-injection vulnerabilities.
+   */
+  abstract class Sanitizer extends DataFlow::Node { }
+
+  /** A source of user input, considered as a flow source for command injection. */
+  class FlowSourceAsSource extends Source instanceof SourceNode {
+    override string getSourceType() { result = "user-provided value" }
+  }
+
+  class InvokeSqlCmdSink extends Sink {
+    InvokeSqlCmdSink() {
+      exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") |
+        this = call.getNamedArgument("query")
+        or
+        not call.hasNamedArgument("query") and
+        this = call.getArgument(0)
+      )
+    }
+
+    override string getSinkType() { result = "call to Invoke-Sqlcmd" }
+  }
+
+  class ConnectionStringWriteSink extends Sink {
+    string memberName;
+
+    ConnectionStringWriteSink() {
+      exists(CfgNodes::StmtNodes::AssignStmtCfgNode assign |
+        memberName = "CommandText" and
+        assign
+            .getLeftHandSide()
+            .(CfgNodes::ExprNodes::MemberExprCfgNode)
+            .memberNameMatches(memberName) and
+        assign.getRightHandSide() = this.asExpr()
+      )
+    }
+
+    override string getSinkType() { result = "write to " + memberName }
+  }
+
+  class SqlCmdSink extends Sink {
+    SqlCmdSink() {
+      exists(DataFlow::CallOperatorNode call |
+        call.getCommand().asExpr().getValue().stringMatches("sqlcmd") and
+        call.getAnArgument() = this
+      )
+    }
+
+    override string getSinkType() { result = "call to sqlcmd" }
+  }
+}
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionQuery.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionQuery.qll
@@ -0,0 +1,26 @@
+/**
+ * Provides a taint tracking configuration for reasoning about
+ * SQL-injection vulnerabilities (CWE-078).
+ *
+ * Note, for performance reasons: only import this file if
+ * `SqlInjectionFlow` is needed, otherwise
+ * `SqlInjectionCustomizations` should be imported instead.
+ */
+
+import powershell
+import semmle.code.powershell.dataflow.TaintTracking
+import SqlInjectionCustomizations::SqlInjection
+import semmle.code.powershell.dataflow.DataFlow
+
+private module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
+}
+
+/**
+ * Taint-tracking for reasoning about SQL-injection vulnerabilities.
+ */
+module SqlInjectionFlow = TaintTracking::Global<Config>;
diff --git a/powershell/ql/src/queries/security/cwe-089/SqlInjection.qhelp b/powershell/ql/src/queries/security/cwe-089/SqlInjection.qhelp
@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>If a SQL query is built using string concatenation, and the
+components of the concatenation include user input, a user 
+is likely to be able to run malicious database queries.</p>
+</overview>
+
+<recommendation>
+<p>Usually, it is better to use a prepared statement than to build a
+complete query with string concatenation. A prepared statement can
+include a parameter, written as either a question mark (<code>?</code>) or with
+an explicit name (<code>@parameter</code>), for each part of the SQL query that is
+expected to be filled in by a different value each time it is run.
+When the query is later executed, a value must be
+supplied for each parameter in the query.</p>
+
+<p>It is good practice to use prepared statements for supplying
+parameters to a query, whether or not any of the parameters are
+directly traceable to user input. Doing so avoids any need to worry
+about quoting and escaping.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the code runs a simple SQL query in two different ways.</p>
+
+<p>The first way involves building a query, <code>query1</code>, by interpolating a
+user-supplied text value with some string literals. The value can include special
+characters, so this code allows for SQL injection attacks.</p>
+
+<p>The second way builds a query, <code>query2</code>, with a
+single string literal that includes a parameter (<code>@username</code>). The parameter
+is then given a value by providing a hash table <code>$params</code> when executing the
+query. This version is immune to injection attacks, because any special characters are
+not given any special treatment.</p>
+
+<sample src="examples/SqlInjection.ps1" />
+</example>
+
+<references>
+<li>MSDN: <a href="https://msdn.microsoft.com/en-us/library/ff648339.aspx">How To: Protect From SQL Injection in ASP.NET</a>.</li>
+</references>
+</qhelp>
diff --git a/powershell/ql/src/queries/security/cwe-089/SqlInjection.ql b/powershell/ql/src/queries/security/cwe-089/SqlInjection.ql
@@ -0,0 +1,24 @@
+/**
+ * @name SQL query built from user-controlled sources
+ * @description Building a SQL query from user-controlled sources is vulnerable to insertion of
+ *              malicious SQL code by the user.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 8.8
+ * @precision high
+ * @id powershell/microsoft/public/sql-injection
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-089
+ */
+
+import powershell
+import semmle.code.powershell.security.SqlInjectionQuery
+import SqlInjectionFlow::PathGraph
+
+from SqlInjectionFlow::PathNode source, SqlInjectionFlow::PathNode sink, Source sourceNode
+where
+  SqlInjectionFlow::flowPath(source, sink) and
+  sourceNode = source.getNode()
+select sink.getNode(), source, sink, "This SQL query depends on a $@.", sourceNode,
+  sourceNode.getSourceType()
diff --git a/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1 b/powershell/ql/src/queries/security/cwe-089/examples/SqlInjection.ps1
@@ -0,0 +1,16 @@
+param(
+    [string]$userinput
+)
+
+# BAD: The user input is directly interpolated into the SQL query string
+$query1 = "SELECT * FROM users WHERE name = '$userinput'"
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query
+
+# GOOD: Using parameters to prevent SQL injection
+$query2 = "SELECT * FROM users WHERE name = @username"
+
+$params = @{
+  username = $userinput
+}
+
+Invoke-Sqlcmd -ServerInstance "MyServer" -Database "MyDatabase" -Query $query -QueryParameters $params
