diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll index d8b9fc193f8a..ea93309874a3 100644 --- a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll +++ b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll @@ -48,15 +48,19 @@ module SqlInjection { override string getSourceType() { result = this.(SourceNode).getSourceType() } } + private string query() { result = ["query", "q"] } + + private string inputfile() { result = ["inputfile", "i"] } + class InvokeSqlCmdSink extends Sink { InvokeSqlCmdSink() { exists(DataFlow::CallNode call | call.matchesName("Invoke-Sqlcmd") | - this = call.getNamedArgument("query") + this = call.getNamedArgument(query()) or - this = call.getNamedArgument("inputfile") + this = call.getNamedArgument(inputfile()) or - not call.hasNamedArgument("query") and - not call.hasNamedArgument("inputfile") and + not call.hasNamedArgument(query()) and + not call.hasNamedArgument(inputfile()) and this = call.getArgument(0) or // TODO: Here we really should pick a splat argument, but we don't yet extract whether an diff --git a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 index 2a4056170353..de2d64d2ec81 100644 --- a/powershell/ql/test/query-tests/security/cwe-089/test.ps1 +++ b/powershell/ql/test/query-tests/security/cwe-089/test.ps1 @@ -107,3 +107,6 @@ function TakesTypedParameters([int]$i, [long]$l, [float]$f, [double]$d, [decimal } TakesTypedParameters $userinput $userinput $userinput $userinput $userinput $userinput $userinput $userinput + +$query = "SELECT * FROM MyTable WHERE MyColumn = '$userinput'" +Invoke-Sqlcmd -unknown $userinput -ServerInstance "MyServer" -Database "MyDatabase" -q "SELECT * FROM MyTable" # GOOD \ No newline at end of file