From 3b932164e50c818ddbc2696de40bd6edb6d4a931 Mon Sep 17 00:00:00 2001 From: michael hohn Date: Thu, 4 Sep 2025 23:32:50 -0700 Subject: [PATCH] Fixed the -- completely -- broken Sink query --- README.org | 10 +++++++--- SinkExecCommandThirdArg.ql | 19 ++++++++++++------- SinkExecCommandThirdArg.sarif | 1 + db.4b6900.codeql-2.22.zip | 3 --- qlpack.yml | 2 +- 5 files changed, 21 insertions(+), 14 deletions(-) create mode 100644 SinkExecCommandThirdArg.sarif delete mode 100644 db.4b6900.codeql-2.22.zip diff --git a/README.org b/README.org index 0007e61..5be5adb 100644 --- a/README.org +++ b/README.org @@ -17,7 +17,8 @@ go mod tidy 2>/dev/null || true # Create the CodeQL database (Go extractor auto-detected) - codeql database create db --language=go --source-root . + codeql database create db.4b6900 --language=go --command=./build.sh + #+end_src If you already have a database, you can skip creation and reuse it. @@ -32,7 +33,7 @@ codeql pack install # Run both queries in this directory against the database - codeql database analyze db . \ + codeql database analyze db.4b6900 . \ --format=sarifv2.1.0 \ --output=results.sarif #+end_src @@ -41,7 +42,10 @@ #+begin_src shell codeql database analyze db SourceGetUserInfo.ql --format=text - codeql database analyze db SinkExecCommandThirdArg.ql --format=text + codeql database analyze db.4b6900 \ + SinkExecCommandThirdArg.ql \ + --format=sarifv2.1.0 \ + --output=SinkExecCommandThirdArg.sarif #+end_src * Notes diff --git a/SinkExecCommandThirdArg.ql b/SinkExecCommandThirdArg.ql index e1ff911..bf34896 100644 --- a/SinkExecCommandThirdArg.ql +++ b/SinkExecCommandThirdArg.ql @@ -1,16 +1,21 @@ /** - * Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2. - * Uses AST/semantic matching via resolved call target and argument position. - */ +* @name Sink identification +* @description Sink identification +* @kind problem +* @id go/demo/sink +* @problem.severity warning + +* Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2. +* Uses AST/semantic matching via resolved call target and argument position. +*/ import go /** A sink expression corresponding to the 3rd argument to exec.Command. */ predicate isSink(Expr e) { - exists(Call c, Function f | - f = c.getTarget() and - f.getName() = "Command" and - f.getDeclaringPackage().getName() = "exec" and + exists(CallExpr c | + c.getCalleeName() = "Command" + and e = c.getArgument(2) ) } diff --git a/SinkExecCommandThirdArg.sarif b/SinkExecCommandThirdArg.sarif new file mode 100644 index 0000000..4b8286c --- /dev/null +++ b/SinkExecCommandThirdArg.sarif @@ -0,0 +1 @@ +{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.22.4","notifications":[{"id":"go/baseline/expected-extracted-files","name":"go/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"go/demo/sink","name":"go/demo/sink","shortDescription":{"text":"Sink identification"},"fullDescription":{"text":"Sink identification"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"description":"Sink identification","id":"go/demo/sink","kind":"problem","name":"Sink identification","problem.severity":"warning\n\n Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.\n Uses AST/semantic matching via resolved call target and argument position."}}]},"extensions":[{"name":"hohnlab/codeql-dataflow-sql-injection-go","semanticVersion":"0.0.1","locations":[{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///mnt/common/home/hohn/work-gh/codeql-dataflow-sql-injection-go/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/go-all","semanticVersion":"4.3.3+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/go-all/4.3.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.30+28f02c07d7d744d761520fbfb354f96827a11f6c","locations":[{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/hohn/.codeql/packages/codeql/threat-models/1.0.30/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/baseline/expected-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform.","markdown":"On the Linux (amd64; 6.15.9-201.fc42.x86_64) platform."},"level":"none","timeUtc":"2025-09-05T06:02:18.354356304Z","descriptor":{"id":"cli/platform","index":1},"properties":{"attributes":{"arch":"amd64","name":"Linux","version":"6.15.9-201.fc42.x86_64"},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0}}],"results":[{"ruleId":"go/demo/sink","ruleIndex":0,"rule":{"id":"go/demo/sink","index":0},"message":{"text":"Sink: 3rd argument to exec.Command"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"add-user.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":36,"startColumn":52,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"effc8e85b7721feb:1","primaryLocationStartColumnFingerprint":"47"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0"}}]} \ No newline at end of file diff --git a/db.4b6900.codeql-2.22.zip b/db.4b6900.codeql-2.22.zip deleted file mode 100644 index 6e5579d..0000000 --- a/db.4b6900.codeql-2.22.zip +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2b53596642bd49fd0402ba36630df7f6d0bbc0b0a779a5eed121c95748d109e9 -size 354044 diff --git a/qlpack.yml b/qlpack.yml index d084a2a..93630de 100644 --- a/qlpack.yml +++ b/qlpack.yml @@ -2,7 +2,7 @@ name: hohnlab/codeql-dataflow-sql-injection-go version: 0.0.1 extractor: go dependencies: - codeql/go: "*" + codeql/go-all: "*" queries: - SourceGetUserInfo.ql - SinkExecCommandThirdArg.ql