Merge pull request #5 from jketema/cpp/mad-barriers

owen-mc · web-flow · commit 82e2afc93ce2 · 2026-01-23T15:06:32.000Z
C++: Add MySQL MaD taint and barrier models
diff --git a/cpp/ql/lib/change-notes/2026-01-23-mysql.md b/cpp/ql/lib/change-notes/2026-01-23-mysql.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.
diff --git a/cpp/ql/lib/ext/MySql.model.yml b/cpp/ql/lib/ext/MySql.model.yml
@@ -0,0 +1,14 @@
+# partial model of the MySQL api
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*2]", "Argument[*1]", "taint", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: barrierModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      - ["", "", False, "mysql_real_escape_string", "", "", "Argument[*1]", "sql-injection", "manual"]
+      - ["", "", False, "mysql_real_escape_string_quote", "", "", "Argument[*1]", "sql-injection", "manual"]
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/MySql.qll
@@ -16,17 +16,3 @@ private class MySqlExecutionFunction extends SqlExecutionFunction {
 
   override predicate hasSqlArgument(FunctionInput input) { input.isParameterDeref(1) }
 }
-
-/**
- * The `mysql_real_escape_string` family of functions from the MySQL C API.
- */
-private class MySqlBarrierFunction extends SqlBarrierFunction {
-  MySqlBarrierFunction() {
-    this.hasName(["mysql_real_escape_string", "mysql_real_escape_string_quote"])
-  }
-
-  override predicate barrierSqlArgument(FunctionInput input, FunctionOutput output) {
-    input.isParameterDeref(2) and
-    output.isParameterDeref(1)
-  }
-}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: minorAnalysis
 +---
 +* Added `taint` summary models and `sql-injection` barrier models for the mySQL `mysql_real_escape_string` and `mysql_real_escape_string_quote` escaping functions.