Static analysis of SQL statements

RESOLVED INVALID

Status

Firefox Build System
Source Code Analysis
RESOLVED INVALID
10 years ago
3 months ago

People

(Reporter: Ondrej Brablc, Assigned: (dormant account))

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
Bug 405920 requested an audit of SQL statements in Places to prevent SQL injection. Because such analysis should be done on regular basis, it is favorable to create an automated tool and extend this audit to the whole code base.

The tool should find all calls to following methods:

mozIStorageStatement::initialize
mozIStorageConnection::createStatement
mozIStorageConnection::executeSimpleSQL

The SQL parameter should be checked, whether it is a literal constant (which may include macro fragments) or a variable or result of a function call. It should be possible to use some comments in code that would notify the parser that the next occurrence is verified dynamically built SQL statement to avoid false alarms.

It would be great if all the parsed statements were stored in a file. This would allow deeper automated testing:
- check that all queries can be prepared after database conversion,
- check that SELECT use indexes in the query plan on all tables.
(Reporter)

Comment 1

10 years ago
Bug 405920 implemented simple perl based script that runs on all platforms and does not require any setup. This bug is not needed now.
Status: ASSIGNED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID

Updated

3 months ago
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.