hohn/codeql-intro-csharp
1
0
Fork 0
mirror of https://github.com/hohn/codeql-intro-csharp.git synced 2025-12-16 10:43:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Run analysis using given script and database

Browse Source
This commit is contained in:
Michael Hohn
2024-12-03 11:39:21 -08:00
committed by =Michael Hohn
parent 450b9897a1
commit 2a4a0d5413
12 changed files with 679 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
FindFunction.ql Normal file
View File

@@ -0,0 +1,12 @@
/**
* @name Find Function
* @description List certain functions in a DB
* @kind problem
* @id csharp/intro/FindFunction
* @problem.severity warning
*/
import csharp
from Method me
select me, "Method found"

34
SqliDemo/Injectable.cs
View File

@@ -19,29 +19,29 @@ class Injectable
return Process.GetCurrentProcess().Id; return Process.GetCurrentProcess().Id;
} }
static void WriteInfo(int id, string info) static void WriteInfo(int id, string info)
{
const string connectionString = "Data Source=users.sqlite";
using (var connection = new SqliteConnection(connectionString))
{ {
connection.Open(); const string connectionString = "Data Source=users.sqlite";
// '{info.Replace("'", "''")}')" has no vulnerability using (var connection = new SqliteConnection(connectionString))
string query = $"INSERT INTO users VALUES ({id}, '{info}')";
Console.WriteLine($"Running query: {query}");
using (var command = new SqliteCommand(query, connection))
{ {
try connection.Open();
// '{info.Replace("'", "''")}')" has no vulnerability
string query = $"INSERT INTO users VALUES ({id}, '{info}')";
Console.WriteLine($"Running query: {query}");
using (var command = new SqliteCommand(query, connection))
{ {
command.ExecuteNonQuery(); try
} {
catch (Exception ex) command.ExecuteNonQuery();
{ }
Console.WriteLine($"Error executing query: {ex.Message}"); catch (Exception ex)
{
Console.WriteLine($"Error executing query: {ex.Message}");
}
} }
} }
} }
}
static void Main() static void Main()

60
admin Executable file
View File

@@ -0,0 +1,60 @@
#!/bin/bash
set -e
script=$(basename "$0")
GREEN='\033[0;32m'
MAGENTA='\033[0;95m'
NC='\033[0m'
RED='\033[0;31m'
YELLOW='\033[0;33m'
help() {
echo -e "Usage: ./${script} [options]" \
"\n${YELLOW}Options: ${NC}" \
"\n\t -h ${GREEN}Show Help ${NC}" \
"\n\t -c ${MAGENTA}Creates a users table ${NC}" \
"\n\t -s ${MAGENTA}Shows all records in the users table ${NC}" \
"\n\t -r ${RED}Removes users table ${NC}"
}
remove-db () {
rm users.sqlite
}
create-db () {
echo '
CREATE TABLE users (
user_id INTEGER not null,
name TEXT NOT NULL
);
' | sqlite3 users.sqlite
}
show-db () {
echo '
SELECT * FROM users;
' | sqlite3 users.sqlite
}
if [ $# == 0 ]; then
help
exit 0
fi
while getopts "h?csr" option
do
case "${option}"
in
h|\?)
help
exit 0
;;
c) create-db
;;
s) show-db
;;
r) remove-db
;;
esac
done

92
admin.ps1 Normal file
View File

@@ -0,0 +1,92 @@
# Set strict mode to stop execution on errors
Set-StrictMode -Version Latest
# Script name
$script = $MyInvocation.MyCommand.Name
# Color variables
$GREEN = "`e[0;32m"
$MAGENTA = "`e[0;95m"
$NC = "`e[0m"
$RED = "`e[0;31m"
$YELLOW = "`e[0;33m"
# Determine the SQLite executable name
if ($IsWindows) {
$sqlite = "sqlite3.exe"
} else {
$sqlite = "sqlite3"
}
# Function to show help
function Show-Help {
Write-Host "Usage: ./${script} [options]" -NoNewline
Write-Host "`n${YELLOW}Options:${NC}" -NoNewline
Write-Host "`n`t-h ${GREEN}Show Help ${NC}" -NoNewline
Write-Host "`n`t-c ${MAGENTA}Creates a users table ${NC}" -NoNewline
Write-Host "`n`t-s ${MAGENTA}Shows all records in the users table ${NC}" -NoNewline
Write-Host "`n`t-r ${RED}Removes users table ${NC}"
}
# Function to remove the database
function Remove-DB {
if (Test-Path "users.sqlite") {
Remove-Item -Force "users.sqlite"
Write-Host "${GREEN}Database removed.${NC}"
} else {
Write-Host "${YELLOW}Database does not exist.${NC}"
}
}
# Function to create the database
function Create-DB {
$createTableSQL = @"
CREATE TABLE IF NOT EXISTS users (
user_id INTEGER not null,
name TEXT NOT NULL
);
"@
$createTableSQL | & $sqlite users.sqlite
Write-Host "${GREEN}Database created.${NC}"
}
# Function to show database records
function Show-DB {
$querySQL = "SELECT * FROM users;"
$querySQL | & $sqlite users.sqlite
}
# If no arguments, show help and exit
if ($args.Count -eq 0) {
Show-Help
exit
}
# Parse arguments
while ($args.Count -gt 0) {
switch ($args[0]) {
'-h' {
Show-Help
exit
}
'-c' {
Create-DB
}
'-s' {
Show-DB
}
'-r' {
Remove-DB
}
default {
Write-Host "${RED}Invalid option: $($args[0])${NC}"
Show-Help
exit
}
}
if ($args.Count -gt 1) {
$args = $args[1..($args.Count - 1)]
} else {
$args = @()
}
}

7
build.ps1 Normal file
View File

@@ -0,0 +1,7 @@
# Change directory
Set-Location -Path "$HOME\work-gh\codeql-intro-csharp\SqliDemo"
# Build the project
dotnet build
Set-Location -Path "$HOME\work-gh\codeql-intro-csharp\"

3
build.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
cd ~/work-gh/codeql-intro-csharp/SqliDemo
dotnet build

8
codeql-intro-csharp.code-workspace Normal file
View File

@@ -0,0 +1,8 @@
{
"folders": [
{
"path": "."
}
],
"settings": {}
}

24
codeql-pack.lock.yml Normal file
View File

@@ -0,0 +1,24 @@
---
lockVersion: 1.0.0
dependencies:
codeql/controlflow:
version: 1.0.12
codeql/csharp-all:
version: 3.1.1
codeql/dataflow:
version: 1.1.6
codeql/mad:
version: 1.0.12
codeql/ssa:
version: 1.0.12
codeql/threat-models:
version: 1.0.12
codeql/tutorial:
version: 1.0.12
codeql/typetracking:
version: 1.0.12
codeql/util:
version: 1.0.12
codeql/xml:
version: 1.0.12
compiled: false

383
csharp-sqli.sarif Normal file
View File

@@ -0,0 +1,383 @@
{
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "CodeQL",
"organization": "GitHub",
"semanticVersion": "2.19.2",
"notifications": [
{
"id": "cs/baseline/expected-extracted-files",
"name": "cs/baseline/expected-extracted-files",
"shortDescription": {
"text": "Expected extracted files"
},
"fullDescription": {
"text": "Files appearing in the source archive that are expected to be extracted."
},
"defaultConfiguration": {
"enabled": true
},
"properties": {
"tags": [
"expected-extracted-files",
"telemetry"
]
}
},
{
"id": "cli/sip-enablement",
"name": "cli/sip-enablement",
"shortDescription": {
"text": "macOS SIP enablement status"
},
"fullDescription": {
"text": "macOS SIP enablement status"
},
"defaultConfiguration": {
"enabled": true
}
}
],
"rules": [
{
"id": "csharp/intro/FindFunction",
"name": "csharp/intro/FindFunction",
"shortDescription": {
"text": "Find Function"
},
"fullDescription": {
"text": "List certain functions in a DB"
},
"defaultConfiguration": {
"enabled": true,
"level": "warning"
},
"properties": {
"description": "List certain functions in a DB",
"id": "csharp/intro/FindFunction",
"kind": "problem",
"name": "Find Function",
"problem.severity": "warning"
}
}
]
},
"extensions": [
{
"name": "sample/csharp-sql-injection",
"semanticVersion": "0.0.1",
"locations": [
{
"uri": "file:///Users/hohn/work-gh/codeql-intro-csharp/",
"description": {
"text": "The QL pack root directory."
},
"properties": {
"tags": [
"CodeQL/LocalPackRoot"
]
}
},
{
"uri": "file:///Users/hohn/work-gh/codeql-intro-csharp/qlpack.yml",
"description": {
"text": "The QL pack definition file."
},
"properties": {
"tags": [
"CodeQL/LocalPackDefinitionFile"
]
}
}
]
},
{
"name": "codeql/csharp-all",
"semanticVersion": "3.1.1+de325133c7a95d84489acdf5a6ced07886ff5c6d",
"locations": [
{
"uri": "file:///Users/hohn/.codeql/packages/codeql/csharp-all/3.1.1/",
"description": {
"text": "The QL pack root directory."
},
"properties": {
"tags": [
"CodeQL/LocalPackRoot"
]
}
},
{
"uri": "file:///Users/hohn/.codeql/packages/codeql/csharp-all/3.1.1/qlpack.yml",
"description": {
"text": "The QL pack definition file."
},
"properties": {
"tags": [
"CodeQL/LocalPackDefinitionFile"
]
}
}
]
},
{
"name": "codeql/threat-models",
"semanticVersion": "1.0.12+de325133c7a95d84489acdf5a6ced07886ff5c6d",
"locations": [
{
"uri": "file:///Users/hohn/.codeql/packages/codeql/threat-models/1.0.12/",
"description": {
"text": "The QL pack root directory."
},
"properties": {
"tags": [
"CodeQL/LocalPackRoot"
]
}
},
{
"uri": "file:///Users/hohn/.codeql/packages/codeql/threat-models/1.0.12/qlpack.yml",
"description": {
"text": "The QL pack definition file."
},
"properties": {
"tags": [
"CodeQL/LocalPackDefinitionFile"
]
}
}
]
}
]
},
"invocations": [
{
"toolExecutionNotifications": [
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
}
}
}
],
"message": {
"text": ""
},
"level": "none",
"descriptor": {
"id": "cs/baseline/expected-extracted-files",
"index": 0
},
"properties": {
"formattedMessage": {
"text": ""
}
}
},
{
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "HelloWorld/Program.cs",
"uriBaseId": "%SRCROOT%",
"index": 1
}
}
}
],
"message": {
"text": ""
},
"level": "none",
"descriptor": {
"id": "cs/baseline/expected-extracted-files",
"index": 0
},
"properties": {
"formattedMessage": {
"text": ""
}
}
},
{
"message": {
"text": ""
},
"level": "note",
"timeUtc": "2024-12-03T18:57:27.937528Z",
"descriptor": {
"id": "cli/sip-enablement",
"index": 1
},
"properties": {
"attributes": {
"isEnabled": true
},
"visibility": {
"statusPage": false,
"telemetry": true
}
}
}
],
"executionSuccessful": true
}
],
"artifacts": [
{
"location": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
}
},
{
"location": {
"uri": "HelloWorld/Program.cs",
"uriBaseId": "%SRCROOT%",
"index": 1
}
}
],
"results": [
{
"ruleId": "csharp/intro/FindFunction",
"ruleIndex": 0,
"rule": {
"id": "csharp/intro/FindFunction",
"index": 0
},
"message": {
"text": "Method found"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 8,
"startColumn": 19,
"endColumn": 31
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "e9487b577ff946ef:1",
"primaryLocationStartColumnFingerprint": "14"
}
},
{
"ruleId": "csharp/intro/FindFunction",
"ruleIndex": 0,
"rule": {
"id": "csharp/intro/FindFunction",
"index": 0
},
"message": {
"text": "Method found"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 17,
"startColumn": 16,
"endColumn": 24
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "7aff2558b806fcc8:1",
"primaryLocationStartColumnFingerprint": "11"
}
},
{
"ruleId": "csharp/intro/FindFunction",
"ruleIndex": 0,
"rule": {
"id": "csharp/intro/FindFunction",
"index": 0
},
"message": {
"text": "Method found"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 22,
"startColumn": 13,
"endColumn": 22
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "727c2f8457995f1b:1",
"primaryLocationStartColumnFingerprint": "12"
}
},
{
"ruleId": "csharp/intro/FindFunction",
"ruleIndex": 0,
"rule": {
"id": "csharp/intro/FindFunction",
"index": 0
},
"message": {
"text": "Method found"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "SqliDemo/Injectable.cs",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 47,
"startColumn": 17,
"endColumn": 21
}
}
}
],
"partialFingerprints": {
"primaryLocationLineHash": "e39b50fafc292b5d:1",
"primaryLocationStartColumnFingerprint": "12"
}
}
],
"columnKind": "utf16CodeUnits",
"properties": {
"semmle.formatSpecifier": "sarif-latest"
}
}
]
}

8
csharp-sqli.txt Normal file
View File

@@ -0,0 +1,8 @@
csharp/intro/FindFunction: Method found [0 more]
SqliDemo/Injectable.cs:8:
csharp/intro/FindFunction: Method found [0 more]
SqliDemo/Injectable.cs:17:
csharp/intro/FindFunction: Method found [0 more]
SqliDemo/Injectable.cs:22:
csharp/intro/FindFunction: Method found [0 more]
SqliDemo/Injectable.cs:47:

5
qlpack.yml Normal file
View File

@@ -0,0 +1,5 @@
library: false
name: workshop/csharp-sql-injection
version: 0.0.1
dependencies:
codeql/csharp-all: "*"

60
sarif-summary.jq Normal file
View File

@@ -0,0 +1,60 @@
# -*- sh -*-
.runs | .[] | .results | .[] |
( (.ruleId, ": ",
(.message.text | split("\n") | ( .[0], " [", length-1 , " more]")),
"\n")
,
(if (.codeFlows != null) then
(.codeFlows | .[] |
(" Path\n"
,
( .threadFlows | .[] | .locations | .[] | .location | " "
,
( .physicalLocation | ( .artifactLocation.uri, ":", .region.startLine, ":"))
,
(.message.text, " ")
,
"\n"
)))
else
(.locations | .[] |
( " "
,
(.physicalLocation | ( .artifactLocation.uri, ":", .region.startLine, ":"))
))
,
# .message.text,
"\n"
end)
) | tostring
# This script extracts the following parts of the sarif output:
#
# # problem
# "runs" : [ {
# "results" : [ {
# "ruleId" : "cpp/UncheckedErrorCode",
# # path problem
# "runs" : [ {
# "tool" : {
# "driver" : {
# "rules" : [ {
# "properties" : {
# "kind" : "path-problem",
# "runs" : [ {
# "results" : [ {
# "ruleId" : "cpp/DangerousArithmetic",
# "ruleIndex" : 6,
# "message" : {
# "text" : "Potential overflow (conversion: int -> unsigned int)\nPotential overflow (con
# "runs" : [ {
# "results" : [ {
# "codeFlows" : [ {
# "threadFlows" : [ {
# "locations" : [ {
# "location" : {
# "message" : {
# "text" : "buff"