From 4b690038063220b335ea67762d8076f74e34884a Mon Sep 17 00:00:00 2001 From: michael hohn Date: Mon, 1 Sep 2025 22:58:51 -0700 Subject: [PATCH] initial generated files --- README.html | 294 +++++++++++++++++++++++++++++++++++++ README.org | 48 ++++++ SinkExecCommandThirdArg.ql | 21 +++ SourceGetUserInfo.ql | 20 +++ qlpack.yml | 9 ++ 5 files changed, 392 insertions(+) create mode 100644 README.html create mode 100644 README.org create mode 100644 SinkExecCommandThirdArg.ql create mode 100644 SourceGetUserInfo.ql create mode 100644 qlpack.yml diff --git a/README.html b/README.html new file mode 100644 index 0000000..5d95d78 --- /dev/null +++ b/README.html @@ -0,0 +1,294 @@ + + + + + + + +CodeQL Dataflow SQL Injection (Go) + + + + + +
+

CodeQL Dataflow SQL Injection (Go)

+ +
+

1. Intro

+
+
    +
  • Minimal Go example to demonstrate taint flow: untrusted input from stdin flows into a dynamically constructed SQL string and is executed via exec.Command("sqlite3", ...).
    • +
  • Two CodeQL queries are included: +
      +
    • SourceGetUserInfo.ql: matches the return value of getUserInfo() as a taint source.
      • +
    • SinkExecCommandThirdArg.ql: matches the 3rd argument of exec.Command(...) as a taint sink.
      • +
    • +
+
+
+
+

2. Build a CodeQL database

+
+

+Assumes Go toolchain and CodeQL CLI are installed and on PATH. +

+ +
+
cd codeql/codeql-dataflow-sql-injection-go
+
+# Optional: fetch deps if any
+go mod init example.com/adduser 2>/dev/null || true
+go mod tidy 2>/dev/null || true
+
+# Create the CodeQL database (Go extractor auto-detected)
+codeql database create db --language=go --source-root .
+
+
+ +

+If you already have a database, you can skip creation and reuse it. +

+
+
+
+

3. Run the queries

+
+

+First, install the pack dependencies, then analyze the database with this pack. +

+ +
+
cd codeql/codeql-dataflow-sql-injection-go
+
+# Install dependencies for the pack
+codeql pack install
+
+# Run both queries in this directory against the database
+codeql database analyze db . \
+       --format=sarifv2.1.0 \
+       --output=results.sarif
+
+
+ +

+To run a single query: +

+ +
+
codeql database analyze db SourceGetUserInfo.ql --format=text
+codeql database analyze db SinkExecCommandThirdArg.ql --format=text
+
+
+
+
+
+

4. Notes

+
+
    +
  • The queries use AST matching (not dataflow) to demonstrate precise source/sink identification. You can wire them into a taint configuration to perform full dataflow analysis.
    • +
+
+
+
+
+

Author: Michael Hohn

+

Created: 2025-09-01 Mon 22:54

+

Validate

+
+ + diff --git a/README.org b/README.org new file mode 100644 index 0000000..0007e61 --- /dev/null +++ b/README.org @@ -0,0 +1,48 @@ +#+title: CodeQL Dataflow SQL Injection (Go) + +* Intro + - Minimal Go example to demonstrate taint flow: untrusted input from =stdin= flows into a dynamically constructed SQL string and is executed via =exec.Command("sqlite3", ...)=. + - Two CodeQL queries are included: + - =SourceGetUserInfo.ql=: matches the return value of =getUserInfo()= as a taint source. + - =SinkExecCommandThirdArg.ql=: matches the 3rd argument of =exec.Command(...)= as a taint sink. + +* Build a CodeQL database + Assumes Go toolchain and CodeQL CLI are installed and on PATH. + + #+begin_src shell + cd codeql/codeql-dataflow-sql-injection-go + + # Optional: fetch deps if any + go mod init example.com/adduser 2>/dev/null || true + go mod tidy 2>/dev/null || true + + # Create the CodeQL database (Go extractor auto-detected) + codeql database create db --language=go --source-root . + #+end_src + + If you already have a database, you can skip creation and reuse it. + +* Run the queries + First, install the pack dependencies, then analyze the database with this pack. + + #+begin_src shell + cd codeql/codeql-dataflow-sql-injection-go + + # Install dependencies for the pack + codeql pack install + + # Run both queries in this directory against the database + codeql database analyze db . \ + --format=sarifv2.1.0 \ + --output=results.sarif + #+end_src + + To run a single query: + + #+begin_src shell + codeql database analyze db SourceGetUserInfo.ql --format=text + codeql database analyze db SinkExecCommandThirdArg.ql --format=text + #+end_src + +* Notes + - The queries use AST matching (not dataflow) to demonstrate precise source/sink identification. You can wire them into a taint configuration to perform full dataflow analysis. diff --git a/SinkExecCommandThirdArg.ql b/SinkExecCommandThirdArg.ql new file mode 100644 index 0000000..e1ff911 --- /dev/null +++ b/SinkExecCommandThirdArg.ql @@ -0,0 +1,21 @@ +/** + * Identify the sink: the 3rd argument to exec.Command(...), i.e., index 2. + * Uses AST/semantic matching via resolved call target and argument position. + */ + +import go + +/** A sink expression corresponding to the 3rd argument to exec.Command. */ +predicate isSink(Expr e) { + exists(Call c, Function f | + f = c.getTarget() and + f.getName() = "Command" and + f.getDeclaringPackage().getName() = "exec" and + e = c.getArgument(2) + ) +} + +from Expr e +where isSink(e) +select e, "Sink: 3rd argument to exec.Command" + diff --git a/SourceGetUserInfo.ql b/SourceGetUserInfo.ql new file mode 100644 index 0000000..e81159f --- /dev/null +++ b/SourceGetUserInfo.ql @@ -0,0 +1,20 @@ +/** + * Identify the source: the return value of function `getUserInfo`. + * Uses AST matching to find return expressions within that function. + */ + +import go + +/** A source expression corresponding to the value returned from getUserInfo. */ +predicate isSource(Expr e) { + exists(Function f, ReturnStmt r, int i | + f.getName() = "getUserInfo" and + r.getEnclosingFunction() = f and + e = r.getExpr(i) + ) +} + +from Expr e +where isSource(e) +select e, "Source: return value of getUserInfo" + diff --git a/qlpack.yml b/qlpack.yml new file mode 100644 index 0000000..d084a2a --- /dev/null +++ b/qlpack.yml @@ -0,0 +1,9 @@ +name: hohnlab/codeql-dataflow-sql-injection-go +version: 0.0.1 +extractor: go +dependencies: + codeql/go: "*" +queries: + - SourceGetUserInfo.ql + - SinkExecCommandThirdArg.ql +