Added modeling of rds v2 and v3 for sql injections

Napalys · Napalys · commit a8a6fdf2109d · 2025-07-29T14:50:19.000+02:00
diff --git a/javascript/ql/lib/ext/rds-client.model.yml b/javascript/ql/lib/ext/rds-client.model.yml
@@ -0,0 +1,23 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["RDSDataClientV3", "ReturnValue.Member[send].Argument[0]", "sql-injection"]
+      - ["RDSDataClientV2", "ReturnValue.Member[executeStatement,batchExecuteStatement].Argument[0].Member[sql]", "sql-injection"]
+      - ["RDSDataClientV2", "ReturnValue.Member[batchExecuteStatement].Argument[0].Member[parameterSets].ArrayElement.Member[sql]", "sql-injection"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: summaryModel
+    data:
+      - ["@aws-sdk/client-rds-data", "Member[ExecuteStatementCommand,BatchExecuteStatementCommand]", "Argument[0].Member[sql]", "ReturnValue", "taint"]
+      - ["@aws-sdk/client-rds-data", "Member[BatchExecuteStatementCommand]", "Argument[0].Member[parameterSets].ArrayElement.Member[sql]", "ReturnValue", "taint"]
+      - ["@aws-sdk/client-rds-data", "Member[ExecuteSqlCommand]", "Argument[0].Member[sqlStatements]", "ReturnValue", "taint"]
+
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: typeModel
+    data:
+      - ["RDSDataClientV3", "@aws-sdk/client-rds-data", "Member[RDSDataClient]"]
+      - ["RDSDataClientV2", "aws-sdk", "Member[RDSDataService]"]
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected b/javascript/ql/test/query-tests/Security/CWE-089/untyped/SqlInjection.expected
@@ -137,6 +137,10 @@
 | pg-promise.js:60:20:60:24 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:60:20:60:24 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
 | pg-promise.js:63:23:63:27 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:63:23:63:27 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
 | pg-promise.js:64:16:64:20 | query | pg-promise.js:7:16:7:34 | req.params.category | pg-promise.js:64:16:64:20 | query | This query string depends on a $@. | pg-promise.js:7:16:7:34 | req.params.category | user-provided value |
+| rds-client.js:19:23:19:58 | new Exe ... arams1) | rds-client.js:8:23:8:30 | req.body | rds-client.js:19:23:19:58 | new Exe ... arams1) | This query string depends on a $@. | rds-client.js:8:23:8:30 | req.body | user-provided value |
+| rds-client.js:36:23:36:51 | new Exe ... params) | rds-client.js:8:23:8:30 | req.body | rds-client.js:36:23:36:51 | new Exe ... params) | This query string depends on a $@. | rds-client.js:8:23:8:30 | req.body | user-provided value |
+| rds-client.js:53:14:53:22 | userQuery | rds-client.js:44:23:44:30 | req.body | rds-client.js:53:14:53:22 | userQuery | This query string depends on a $@. | rds-client.js:44:23:44:30 | req.body | user-provided value |
+| rds-client.js:61:50:61:52 | sql | rds-client.js:45:25:45:32 | req.body | rds-client.js:61:50:61:52 | sql | This query string depends on a $@. | rds-client.js:45:25:45:32 | req.body | user-provided value |
 | redis.js:10:16:10:27 | req.body.key | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | This query object depends on a $@. | redis.js:10:16:10:23 | req.body | user-provided value |
 | redis.js:18:16:18:18 | key | redis.js:12:15:12:22 | req.body | redis.js:18:16:18:18 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
 | redis.js:19:43:19:45 | key | redis.js:12:15:12:22 | req.body | redis.js:19:43:19:45 | key | This query object depends on a $@. | redis.js:12:15:12:22 | req.body | user-provided value |
@@ -563,6 +567,23 @@ edges
 | pg-promise.js:22:11:22:15 | query | pg-promise.js:60:20:60:24 | query | provenance |  |
 | pg-promise.js:22:11:22:15 | query | pg-promise.js:63:23:63:27 | query | provenance |  |
 | pg-promise.js:22:11:22:15 | query | pg-promise.js:64:16:64:20 | query | provenance |  |
+| rds-client.js:8:11:8:36 | userQuery | rds-client.js:17:14:17:22 | userQuery | provenance |  |
+| rds-client.js:8:11:8:36 | userQuery | rds-client.js:33:24:33:32 | userQuery | provenance |  |
+| rds-client.js:8:23:8:30 | req.body | rds-client.js:8:11:8:36 | userQuery | provenance |  |
+| rds-client.js:13:11:18:5 | params1 [sql] | rds-client.js:19:51:19:57 | params1 [sql] | provenance |  |
+| rds-client.js:13:21:18:5 | {\\n      ... y\\n    } [sql] | rds-client.js:13:11:18:5 | params1 [sql] | provenance |  |
+| rds-client.js:17:14:17:22 | userQuery | rds-client.js:13:21:18:5 | {\\n      ... y\\n    } [sql] | provenance |  |
+| rds-client.js:19:51:19:57 | params1 [sql] | rds-client.js:19:23:19:58 | new Exe ... arams1) | provenance |  |
+| rds-client.js:29:11:34:5 | params [sqlStatements] | rds-client.js:36:45:36:50 | params [sqlStatements] | provenance |  |
+| rds-client.js:29:20:34:5 | {\\n      ... y\\n    } [sqlStatements] | rds-client.js:29:11:34:5 | params [sqlStatements] | provenance |  |
+| rds-client.js:33:24:33:32 | userQuery | rds-client.js:29:20:34:5 | {\\n      ... y\\n    } [sqlStatements] | provenance |  |
+| rds-client.js:36:45:36:50 | params [sqlStatements] | rds-client.js:36:23:36:51 | new Exe ... params) | provenance |  |
+| rds-client.js:44:11:44:36 | userQuery | rds-client.js:53:14:53:22 | userQuery | provenance |  |
+| rds-client.js:44:23:44:30 | req.body | rds-client.js:44:11:44:36 | userQuery | provenance |  |
+| rds-client.js:45:11:45:40 | userQueries | rds-client.js:61:24:61:34 | userQueries | provenance |  |
+| rds-client.js:45:25:45:32 | req.body | rds-client.js:45:11:45:40 | userQueries | provenance |  |
+| rds-client.js:61:24:61:34 | userQueries | rds-client.js:61:40:61:42 | sql | provenance |  |
+| rds-client.js:61:40:61:42 | sql | rds-client.js:61:50:61:52 | sql | provenance |  |
 | redis.js:10:16:10:23 | req.body | redis.js:10:16:10:27 | req.body.key | provenance | Config |
 | redis.js:12:9:12:26 | key | redis.js:13:16:13:18 | key | provenance |  |
 | redis.js:12:9:12:26 | key | redis.js:18:16:18:18 | key | provenance |  |
@@ -940,6 +961,26 @@ nodes
 | pg-promise.js:60:20:60:24 | query | semmle.label | query |
 | pg-promise.js:63:23:63:27 | query | semmle.label | query |
 | pg-promise.js:64:16:64:20 | query | semmle.label | query |
+| rds-client.js:8:11:8:36 | userQuery | semmle.label | userQuery |
+| rds-client.js:8:23:8:30 | req.body | semmle.label | req.body |
+| rds-client.js:13:11:18:5 | params1 [sql] | semmle.label | params1 [sql] |
+| rds-client.js:13:21:18:5 | {\\n      ... y\\n    } [sql] | semmle.label | {\\n      ... y\\n    } [sql] |
+| rds-client.js:17:14:17:22 | userQuery | semmle.label | userQuery |
+| rds-client.js:19:23:19:58 | new Exe ... arams1) | semmle.label | new Exe ... arams1) |
+| rds-client.js:19:51:19:57 | params1 [sql] | semmle.label | params1 [sql] |
+| rds-client.js:29:11:34:5 | params [sqlStatements] | semmle.label | params [sqlStatements] |
+| rds-client.js:29:20:34:5 | {\\n      ... y\\n    } [sqlStatements] | semmle.label | {\\n      ... y\\n    } [sqlStatements] |
+| rds-client.js:33:24:33:32 | userQuery | semmle.label | userQuery |
+| rds-client.js:36:23:36:51 | new Exe ... params) | semmle.label | new Exe ... params) |
+| rds-client.js:36:45:36:50 | params [sqlStatements] | semmle.label | params [sqlStatements] |
+| rds-client.js:44:11:44:36 | userQuery | semmle.label | userQuery |
+| rds-client.js:44:23:44:30 | req.body | semmle.label | req.body |
+| rds-client.js:45:11:45:40 | userQueries | semmle.label | userQueries |
+| rds-client.js:45:25:45:32 | req.body | semmle.label | req.body |
+| rds-client.js:53:14:53:22 | userQuery | semmle.label | userQuery |
+| rds-client.js:61:24:61:34 | userQueries | semmle.label | userQueries |
+| rds-client.js:61:40:61:42 | sql | semmle.label | sql |
+| rds-client.js:61:50:61:52 | sql | semmle.label | sql |
 | redis.js:10:16:10:23 | req.body | semmle.label | req.body |
 | redis.js:10:16:10:27 | req.body.key | semmle.label | req.body.key |
 | redis.js:12:9:12:26 | key | semmle.label | key |
diff --git a/javascript/ql/test/query-tests/Security/CWE-089/untyped/rds-client.js b/javascript/ql/test/query-tests/Security/CWE-089/untyped/rds-client.js
@@ -5,7 +5,7 @@ const app = express();
 app.use(bodyParser.json());
 
 app.post('/v3/rds/all', async (req, res) => {
-    const userQuery = req.body.query; // $ MISSING: Source
+    const userQuery = req.body.query; // $ Source
     const userQueries = req.body.queries; // $ MISSING: Source
 
     const client = new RDSDataClient({ region: "us-east-1" });
@@ -16,7 +16,7 @@ app.post('/v3/rds/all', async (req, res) => {
         database: "userDatabase",
         sql: userQuery
     };
-    await client.send(new ExecuteStatementCommand(params1)); // $ MISSING: Alert
+    await client.send(new ExecuteStatementCommand(params1)); // $ Alert
 
     const params2 = {
         resourceArn: "arn:aws:rds:us-east-1:123456789012:cluster:my-aurora-cluster",
@@ -33,32 +33,32 @@ app.post('/v3/rds/all', async (req, res) => {
         sqlStatements: userQuery
     };
 
-    await client.send(new ExecuteSqlCommand(params)); // $ MISSING: Alert
+    await client.send(new ExecuteSqlCommand(params)); // $ Alert
 
     res.end();
 });
 
 const AWS = require('aws-sdk');
 
 app.post('/v2/rds/all', async (req, res) => {
-    const userQuery = req.body.query; // $ MISSING: Source
-    const userQueries = req.body.queries; // $ MISSING: Source
+    const userQuery = req.body.query; // $ Source
+    const userQueries = req.body.queries; // $ Source
 
     const rdsData = new AWS.RDSDataService({ region: "us-east-1" });
 
     const params1 = {
         resourceArn: "arn:aws:rds:us-east-1:123456789012:cluster:my-aurora-cluster",
         secretArn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret",
         database: "userDatabase",
-        sql: userQuery // $ MISSING: Alert
+        sql: userQuery // $ Alert
     };
     await rdsData.executeStatement(params1).promise();
 
     const params2 = {
         resourceArn: "arn:aws:rds:us-east-1:123456789012:cluster:my-aurora-cluster",
         secretArn: "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-secret",
         database: "userDatabase",
-        parameterSets: userQueries.map(sql => ({ sql })) // $ MISSING: Alert
+        parameterSets: userQueries.map(sql => ({ sql })) // $ Alert
     };
     await rdsData.batchExecuteStatement(params2).promise();
 
