initial generated files

2025-12-15 18:03:03 +01:00 · 2025-09-01 22:58:51 -07:00
parent a47c7da446
commit 4b69003806
5 changed files with 392 additions and 0 deletions
--- a/README.html
+++ b/README.html
@@ -0,0 +1,294 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head>
+<!-- 2025-09-01 Mon 22:54 -->
+<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
+<meta name="viewport" content="width=device-width, initial-scale=1" />
+<title>CodeQL Dataflow SQL Injection (Go)</title>
+<meta name="author" content="Michael Hohn" />
+<meta name="generator" content="Org Mode" />
+<style type="text/css">
+  #content { max-width: 60em; margin: auto; }
+  .title  { text-align: center;
+             margin-bottom: .2em; }
+  .subtitle { text-align: center;
+              font-size: medium;
+              font-weight: bold;
+              margin-top:0; }
+  .todo   { font-family: monospace; color: red; }
+  .done   { font-family: monospace; color: green; }
+  .priority { font-family: monospace; color: orange; }
+  .tag    { background-color: #eee; font-family: monospace;
+            padding: 2px; font-size: 80%; font-weight: normal; }
+  .timestamp { color: #bebebe; }
+  .timestamp-kwd { color: #5f9ea0; }
+  .org-right  { margin-left: auto; margin-right: 0px;  text-align: right; }
+  .org-left   { margin-left: 0px;  margin-right: auto; text-align: left; }
+  .org-center { margin-left: auto; margin-right: auto; text-align: center; }
+  .underline { text-decoration: underline; }
+  #postamble p, #preamble p { font-size: 90%; margin: .2em; }
+  p.verse { margin-left: 3%; }
+  pre {
+    border: 1px solid #e6e6e6;
+    border-radius: 3px;
+    background-color: #f2f2f2;
+    padding: 8pt;
+    font-family: monospace;
+    overflow: auto;
+    margin: 1.2em;
+  }
+  pre.src {
+    position: relative;
+    overflow: auto;
+  }
+  pre.src:before {
+    display: none;
+    position: absolute;
+    top: -8px;
+    right: 12px;
+    padding: 3px;
+    color: #555;
+    background-color: #f2f2f299;
+  }
+  pre.src:hover:before { display: inline; margin-top: 14px;}
+  /* Languages per Org manual */
+  pre.src-asymptote:before { content: 'Asymptote'; }
+  pre.src-awk:before { content: 'Awk'; }
+  pre.src-authinfo::before { content: 'Authinfo'; }
+  pre.src-C:before { content: 'C'; }
+  /* pre.src-C++ doesn't work in CSS */
+  pre.src-clojure:before { content: 'Clojure'; }
+  pre.src-css:before { content: 'CSS'; }
+  pre.src-D:before { content: 'D'; }
+  pre.src-ditaa:before { content: 'ditaa'; }
+  pre.src-dot:before { content: 'Graphviz'; }
+  pre.src-calc:before { content: 'Emacs Calc'; }
+  pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
+  pre.src-fortran:before { content: 'Fortran'; }
+  pre.src-gnuplot:before { content: 'gnuplot'; }
+  pre.src-haskell:before { content: 'Haskell'; }
+  pre.src-hledger:before { content: 'hledger'; }
+  pre.src-java:before { content: 'Java'; }
+  pre.src-js:before { content: 'Javascript'; }
+  pre.src-latex:before { content: 'LaTeX'; }
+  pre.src-ledger:before { content: 'Ledger'; }
+  pre.src-lisp:before { content: 'Lisp'; }
+  pre.src-lilypond:before { content: 'Lilypond'; }
+  pre.src-lua:before { content: 'Lua'; }
+  pre.src-matlab:before { content: 'MATLAB'; }
+  pre.src-mscgen:before { content: 'Mscgen'; }
+  pre.src-ocaml:before { content: 'Objective Caml'; }
+  pre.src-octave:before { content: 'Octave'; }
+  pre.src-org:before { content: 'Org mode'; }
+  pre.src-oz:before { content: 'OZ'; }
+  pre.src-plantuml:before { content: 'Plantuml'; }
+  pre.src-processing:before { content: 'Processing.js'; }
+  pre.src-python:before { content: 'Python'; }
+  pre.src-R:before { content: 'R'; }
+  pre.src-ruby:before { content: 'Ruby'; }
+  pre.src-sass:before { content: 'Sass'; }
+  pre.src-scheme:before { content: 'Scheme'; }
+  pre.src-screen:before { content: 'Gnu Screen'; }
+  pre.src-sed:before { content: 'Sed'; }
+  pre.src-sh:before { content: 'shell'; }
+  pre.src-sql:before { content: 'SQL'; }
+  pre.src-sqlite:before { content: 'SQLite'; }
+  /* additional languages in org.el's org-babel-load-languages alist */
+  pre.src-forth:before { content: 'Forth'; }
+  pre.src-io:before { content: 'IO'; }
+  pre.src-J:before { content: 'J'; }
+  pre.src-makefile:before { content: 'Makefile'; }
+  pre.src-maxima:before { content: 'Maxima'; }
+  pre.src-perl:before { content: 'Perl'; }
+  pre.src-picolisp:before { content: 'Pico Lisp'; }
+  pre.src-scala:before { content: 'Scala'; }
+  pre.src-shell:before { content: 'Shell Script'; }
+  pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
+  /* additional language identifiers per "defun org-babel-execute"
+       in ob-*.el */
+  pre.src-cpp:before  { content: 'C++'; }
+  pre.src-abc:before  { content: 'ABC'; }
+  pre.src-coq:before  { content: 'Coq'; }
+  pre.src-groovy:before  { content: 'Groovy'; }
+  /* additional language identifiers from org-babel-shell-names in
+     ob-shell.el: ob-shell is the only babel language using a lambda to put
+     the execution function name together. */
+  pre.src-bash:before  { content: 'bash'; }
+  pre.src-csh:before  { content: 'csh'; }
+  pre.src-ash:before  { content: 'ash'; }
+  pre.src-dash:before  { content: 'dash'; }
+  pre.src-ksh:before  { content: 'ksh'; }
+  pre.src-mksh:before  { content: 'mksh'; }
+  pre.src-posh:before  { content: 'posh'; }
+  /* Additional Emacs modes also supported by the LaTeX listings package */
+  pre.src-ada:before { content: 'Ada'; }
+  pre.src-asm:before { content: 'Assembler'; }
+  pre.src-caml:before { content: 'Caml'; }
+  pre.src-delphi:before { content: 'Delphi'; }
+  pre.src-html:before { content: 'HTML'; }
+  pre.src-idl:before { content: 'IDL'; }
+  pre.src-mercury:before { content: 'Mercury'; }
+  pre.src-metapost:before { content: 'MetaPost'; }
+  pre.src-modula-2:before { content: 'Modula-2'; }
+  pre.src-pascal:before { content: 'Pascal'; }
+  pre.src-ps:before { content: 'PostScript'; }
+  pre.src-prolog:before { content: 'Prolog'; }
+  pre.src-simula:before { content: 'Simula'; }
+  pre.src-tcl:before { content: 'tcl'; }
+  pre.src-tex:before { content: 'TeX'; }
+  pre.src-plain-tex:before { content: 'Plain TeX'; }
+  pre.src-verilog:before { content: 'Verilog'; }
+  pre.src-vhdl:before { content: 'VHDL'; }
+  pre.src-xml:before { content: 'XML'; }
+  pre.src-nxml:before { content: 'XML'; }
+  /* add a generic configuration mode; LaTeX export needs an additional
+     (add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
+  pre.src-conf:before { content: 'Configuration File'; }
+
+  table { border-collapse:collapse; }
+  caption.t-above { caption-side: top; }
+  caption.t-bottom { caption-side: bottom; }
+  td, th { vertical-align:top;  }
+  th.org-right  { text-align: center;  }
+  th.org-left   { text-align: center;   }
+  th.org-center { text-align: center; }
+  td.org-right  { text-align: right;  }
+  td.org-left   { text-align: left;   }
+  td.org-center { text-align: center; }
+  dt { font-weight: bold; }
+  .footpara { display: inline; }
+  .footdef  { margin-bottom: 1em; }
+  .figure { padding: 1em; }
+  .figure p { text-align: center; }
+  .equation-container {
+    display: table;
+    text-align: center;
+    width: 100%;
+  }
+  .equation {
+    vertical-align: middle;
+  }
+  .equation-label {
+    display: table-cell;
+    text-align: right;
+    vertical-align: middle;
+  }
+  .inlinetask {
+    padding: 10px;
+    border: 2px solid gray;
+    margin: 10px;
+    background: #ffffcc;
+  }
+  #org-div-home-and-up
+   { text-align: right; font-size: 70%; white-space: nowrap; }
+  textarea { overflow-x: auto; }
+  .linenr { font-size: smaller }
+  .code-highlighted { background-color: #ffff00; }
+  .org-info-js_info-navigation { border-style: none; }
+  #org-info-js_console-label
+    { font-size: 10px; font-weight: bold; white-space: nowrap; }
+  .org-info-js_search-highlight
+    { background-color: #ffff00; color: #000000; font-weight: bold; }
+  .org-svg { }
+</style>
+</head>
+<body>
+<div id="content" class="content">
+<h1 class="title">CodeQL Dataflow SQL Injection (Go)</h1>
+<div id="table-of-contents" role="doc-toc">
+<h2>Table of Contents</h2>
+<div id="text-table-of-contents" role="doc-toc">
+<ul>
+<li><a href="#org28a0be9">1. Intro</a></li>
+<li><a href="#org5e11c79">2. Build a CodeQL database</a></li>
+<li><a href="#orgd43d296">3. Run the queries</a></li>
+<li><a href="#orgbe1c530">4. Notes</a></li>
+</ul>
+</div>
+</div>
+<div id="outline-container-org28a0be9" class="outline-2">
+<h2 id="org28a0be9"><span class="section-number-2">1.</span> Intro</h2>
+<div class="outline-text-2" id="text-1">
+<ul class="org-ul">
+<li>Minimal Go example to demonstrate taint flow: untrusted input from <code>stdin</code> flows into a dynamically constructed SQL string and is executed via <code>exec.Command("sqlite3", ...)</code>.</li>
+<li>Two CodeQL queries are included:
+<ul class="org-ul">
+<li><code>SourceGetUserInfo.ql</code>: matches the return value of <code>getUserInfo()</code> as a taint source.</li>
+<li><code>SinkExecCommandThirdArg.ql</code>: matches the 3rd argument of <code>exec.Command(...)</code> as a taint sink.</li>
+</ul></li>
+</ul>
+</div>
+</div>
+<div id="outline-container-org5e11c79" class="outline-2">
+<h2 id="org5e11c79"><span class="section-number-2">2.</span> Build a CodeQL database</h2>
+<div class="outline-text-2" id="text-2">
+<p>
+Assumes Go toolchain and CodeQL CLI are installed and on PATH.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-shell"><span style="color: #483d8b;">cd</span> codeql/codeql-dataflow-sql-injection-go
+
+<span style="color: #b22222;"># </span><span style="color: #b22222;">Optional: fetch deps if any</span>
+go mod init example.com/adduser 2&gt;/dev/null || true
+go mod tidy 2&gt;/dev/null || true
+
+<span style="color: #b22222;"># </span><span style="color: #b22222;">Create the CodeQL database (Go extractor auto-detected)</span>
+codeql database create db --language=go --source-root .
+</pre>
+</div>
+
+<p>
+If you already have a database, you can skip creation and reuse it.
+</p>
+</div>
+</div>
+<div id="outline-container-orgd43d296" class="outline-2">
+<h2 id="orgd43d296"><span class="section-number-2">3.</span> Run the queries</h2>
+<div class="outline-text-2" id="text-3">
+<p>
+First, install the pack dependencies, then analyze the database with this pack.
+</p>
+
+<div class="org-src-container">
+<pre class="src src-shell"><span style="color: #483d8b;">cd</span> codeql/codeql-dataflow-sql-injection-go
+
+<span style="color: #b22222;"># </span><span style="color: #b22222;">Install dependencies for the pack</span>
+codeql pack install
+
+<span style="color: #b22222;"># </span><span style="color: #b22222;">Run both queries in this directory against the database</span>
+codeql database analyze db . <span style="color: #8b2252;">\</span>
+       --format=sarifv2.1.0 <span style="color: #8b2252;">\</span>
+       --output=results.sarif
+</pre>
+</div>
+
+<p>
+To run a single query:
+</p>
+
+<div class="org-src-container">
+<pre class="src src-shell">codeql database analyze db SourceGetUserInfo.ql --format=text
+codeql database analyze db SinkExecCommandThirdArg.ql --format=text
+</pre>
+</div>
+</div>
+</div>
+<div id="outline-container-orgbe1c530" class="outline-2">
+<h2 id="orgbe1c530"><span class="section-number-2">4.</span> Notes</h2>
+<div class="outline-text-2" id="text-4">
+<ul class="org-ul">
+<li>The queries use AST matching (not dataflow) to demonstrate precise source/sink identification. You can wire them into a taint configuration to perform full dataflow analysis.</li>
+</ul>
+</div>
+</div>
+</div>
+<div id="postamble" class="status">
+<p class="author">Author: Michael Hohn</p>
+<p class="date">Created: 2025-09-01 Mon 22:54</p>
+<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
+</div>
+</body>
+</html>
--- a/README.org
+++ b/README.org
@@ -0,0 +1,48 @@
+#+title: CodeQL Dataflow SQL Injection (Go)
+
+* Intro
+  - Minimal Go example to demonstrate taint flow: untrusted input from =stdin= flows into a dynamically constructed SQL string and is executed via =exec.Command("sqlite3", ...)=.
+  - Two CodeQL queries are included:
+    - =SourceGetUserInfo.ql=: matches the return value of =getUserInfo()= as a taint source.
+    - =SinkExecCommandThirdArg.ql=: matches the 3rd argument of =exec.Command(...)= as a taint sink.
+
+* Build a CodeQL database
+  Assumes Go toolchain and CodeQL CLI are installed and on PATH.
+
+  #+begin_src shell
+    cd codeql/codeql-dataflow-sql-injection-go
+
+    # Optional: fetch deps if any
+    go mod init example.com/adduser 2>/dev/null || true
+    go mod tidy 2>/dev/null || true
+
+    # Create the CodeQL database (Go extractor auto-detected)
+    codeql database create db --language=go --source-root .
+  #+end_src
+
+  If you already have a database, you can skip creation and reuse it.
+
+* Run the queries
+  First, install the pack dependencies, then analyze the database with this pack.
+
+  #+begin_src shell
+    cd codeql/codeql-dataflow-sql-injection-go
+
+    # Install dependencies for the pack
+    codeql pack install
+
+    # Run both queries in this directory against the database
+    codeql database analyze db . \
+           --format=sarifv2.1.0 \
+           --output=results.sarif
+  #+end_src
+
+  To run a single query:
+
+  #+begin_src shell
+    codeql database analyze db SourceGetUserInfo.ql --format=text
+    codeql database analyze db SinkExecCommandThirdArg.ql --format=text
+  #+end_src
+
+* Notes
+  - The queries use AST matching (not dataflow) to demonstrate precise source/sink identification. You can wire them into a taint configuration to perform full dataflow analysis.
--- a/SinkExecCommandThirdArg.ql
+++ b/SinkExecCommandThirdArg.ql
@@ -0,0 +1,21 @@
+/**
+ * Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2.
+ * Uses AST/semantic matching via resolved call target and argument position.
+ */
+
+import go
+
+/** A sink expression corresponding to the 3rd argument to exec.Command. */
+predicate isSink(Expr e) {
+  exists(Call c, Function f |
+    f = c.getTarget() and
+    f.getName() = "Command" and
+    f.getDeclaringPackage().getName() = "exec" and
+    e = c.getArgument(2)
+  )
+}
+
+from Expr e
+where isSink(e)
+select e, "Sink: 3rd argument to exec.Command"
+
--- a/SourceGetUserInfo.ql
+++ b/SourceGetUserInfo.ql
@@ -0,0 +1,20 @@
+/**
+ * Identify the source: the return value of function `getUserInfo`.
+ * Uses AST matching to find return expressions within that function.
+ */
+
+import go
+
+/** A source expression corresponding to the value returned from getUserInfo. */
+predicate isSource(Expr e) {
+  exists(Function f, ReturnStmt r, int i |
+    f.getName() = "getUserInfo" and
+    r.getEnclosingFunction() = f and
+    e = r.getExpr(i)
+  )
+}
+
+from Expr e
+where isSource(e)
+select e, "Source: return value of getUserInfo"
+
--- a/qlpack.yml
+++ b/qlpack.yml
@@ -0,0 +1,9 @@
+name: hohnlab/codeql-dataflow-sql-injection-go
+version: 0.0.1
+extractor: go
+dependencies:
+  codeql/go: "*"
+queries:
+  - SourceGetUserInfo.ql
+  - SinkExecCommandThirdArg.ql
+