C++: Support SQL Injection sinks for Oracle Call Interface (OCI) #19832
+61
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for SQL injection sinks for Oracle Call Interface (OCI) in C/C++ by adding models for the OCIStmtPrepare and OCIStmtPrepare2 functions. Key changes include:
- Adding OCI function prototypes and test cases in test.c to trigger both vulnerable (BAD) and safe (GOOD) patterns.
- Updating expected taint flow edges in the SqlTainted.expected file.
- Extending the CodeQL model through modifications in SqlTainted.ql, Oracle.oci.model.yml, and change notes documentation.
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/test.c | Added OCI function prototypes and test cases for OCIStmtPrepare and OCIStmtPrepare2 including taint tracking for SQL injection. |
| cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted/SqlTainted.expected | Updated expected taint flow edge definitions to include new OCI models. |
| cpp/ql/src/change-notes/2025-06-20-sql-injection-models.md | Documented extension of sql-injection sink support through Models as Data. |
| cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql | Enhanced sink configuration to include the new "sql-injection" model. |
| cpp/ql/lib/ext/Oracle.oci.model.yml | Added sink models for OCIStmtPrepare and OCIStmtPrepare2 functions with sql-injection kind. |
| cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md | Documented the addition of OCI sql-injection sink models. |
| } | ||
|
|
||
| // Oracle Call Interface (OCI) Routines | ||
| int OCIStmtPrepare( |
There was a problem hiding this comment.
[nitpick] Consider moving the Oracle OCI function prototypes to a dedicated header file to improve maintainability and reduce duplication in test code.
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #19764
sql-injectionModels as Data (MaD) sink kind for C/C++.sql-injectionsink models for the Oracle Call Interface (OCI) database library functionsOCIStmtPrepareandOCIStmtPrepare2.