codeql-sap-js/javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql at main · advanced-security/codeql-sap-js · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
/**
 * @name CQL query built from user-controlled sources
 * @description Building a CQL query from user-controlled sources is vulnerable to insertion of
 *              malicious code by the user.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 8.8
 * @precision high
 * @id js/cap-sql-injection
 * @tags security
 */

import javascript
import advanced_security.javascript.frameworks.cap.CAPCqlInjectionQuery

module CqlInjectionConfigurationFlow = TaintTracking::Global<CqlInjectionConfiguration>;

import CqlInjectionConfigurationFlow::PathGraph

from CqlInjectionConfigurationFlow::PathNode source, CqlInjectionConfigurationFlow::PathNode sink
where CqlInjectionConfigurationFlow::flowPath(source, sink)
select sink.getNode().(CqlInjectionSink).getQuery(), source, sink,
  "This CQL query contains a string concatenation with a $@.", source.getNode(),
  "user-provided value"