From 102c18cce53e6132e83921e0000de6f01cec3fdc Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 30 Jul 2025 15:14:02 -0700 Subject: [PATCH] Rename directories to include language. Also update files --- README.org | 66 +++++++++++------- codeql-bundling/README.org | 2 +- .../CodeQL-workshop-overview-only.pdf | Bin .../README.org | 0 .../SqlInjection.ql | 0 .../add-user.c | 0 .../add-user.sh | 0 .../admin | 0 .../build.sh | 0 ...deql-dataflow-sql-injection.code-workspace | 0 .../codeql-dataflow-sql-injection.md | 0 .../codeql-pack.lock.yml | 0 .../cpp-sqli-3fe610d-1.zip | 0 .../dataflow-cropped.pdf | Bin .../dataflow.key | Bin .../dataflow.pdf | Bin ...incoming.codeql-customizations-workshop.md | 0 .../qlpack.yml | 0 .../sarif-summary.jq | 0 .../session.ql | 0 {codeql-duckdb => codeql-duckdb-c}/README.org | 0 .../codeql-pack.lock.yml | 0 {codeql-duckdb => codeql-duckdb-c}/example.ql | 0 {codeql-duckdb => codeql-duckdb-c}/qlpack.yml | 0 .../README.org | 2 +- .../codeql-pack.lock.yml | 0 .../example.ql | 0 .../qlpack.yml | 0 .../AddUser.java | 0 .../Illustrations.ql | 0 .../README.org | 0 .../TaintFlowDebugging.md | 0 .../TaintFlowDebugging.ql | 0 .../add-user | 0 {codeql-sqlite => codeql-sqlite-java}/admin | 0 .../build.sh | 0 .../codeql-pack.lock.yml | 0 .../qlpack.yml | 0 .../sarif-summary.jq | 0 .../sqlite-jdbc-3.36.0.1.jar | 0 40 files changed, 43 insertions(+), 27 deletions(-) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/CodeQL-workshop-overview-only.pdf (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/README.org (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/SqlInjection.ql (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/add-user.c (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/add-user.sh (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/admin (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/build.sh (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/codeql-dataflow-sql-injection.code-workspace (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/codeql-dataflow-sql-injection.md (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/codeql-pack.lock.yml (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/cpp-sqli-3fe610d-1.zip (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/dataflow-cropped.pdf (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/dataflow.key (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/dataflow.pdf (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/incoming.codeql-customizations-workshop.md (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/qlpack.yml (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/sarif-summary.jq (100%) rename {codeql-dataflow-sql-injection => codeql-dataflow-sql-injection-c}/session.ql (100%) rename {codeql-duckdb => codeql-duckdb-c}/README.org (100%) rename {codeql-duckdb => codeql-duckdb-c}/codeql-pack.lock.yml (100%) rename {codeql-duckdb => codeql-duckdb-c}/example.ql (100%) rename {codeql-duckdb => codeql-duckdb-c}/qlpack.yml (100%) rename {codeql-jedis => codeql-jedis-java}/README.org (99%) rename {codeql-jedis => codeql-jedis-java}/codeql-pack.lock.yml (100%) rename {codeql-jedis => codeql-jedis-java}/example.ql (100%) rename {codeql-jedis => codeql-jedis-java}/qlpack.yml (100%) rename {codeql-sqlite => codeql-sqlite-java}/AddUser.java (100%) rename {codeql-sqlite => codeql-sqlite-java}/Illustrations.ql (100%) rename {codeql-sqlite => codeql-sqlite-java}/README.org (100%) rename {codeql-sqlite => codeql-sqlite-java}/TaintFlowDebugging.md (100%) rename {codeql-sqlite => codeql-sqlite-java}/TaintFlowDebugging.ql (100%) rename {codeql-sqlite => codeql-sqlite-java}/add-user (100%) rename {codeql-sqlite => codeql-sqlite-java}/admin (100%) rename {codeql-sqlite => codeql-sqlite-java}/build.sh (100%) rename {codeql-sqlite => codeql-sqlite-java}/codeql-pack.lock.yml (100%) rename {codeql-sqlite => codeql-sqlite-java}/qlpack.yml (100%) rename {codeql-sqlite => codeql-sqlite-java}/sarif-summary.jq (100%) rename {codeql-sqlite => codeql-sqlite-java}/sqlite-jdbc-3.36.0.1.jar (100%) diff --git a/README.org b/README.org index a1d9074..24b3fdd 100644 --- a/README.org +++ b/README.org @@ -61,7 +61,7 @@ - A prebuilt CodeQL CLI binary is included: : 1104625939 assets/codeql-osx64.zip - Project-specific repositories can be added directly under the root. - Example: the C dataflow workshop in =./codeql-dataflow-sql-injection= + Example: the C dataflow workshop in =./codeql-dataflow-sql-injection-c= ** Additional Structure Notes - The original upstream README.md is preserved at [[./README-vscode-codeql-starter.md]] @@ -71,8 +71,8 @@ ** Data Flow *** Debugging data flow config (instead of taint flow), Java We can illustrate taint-flow debugging in the Java SQL injection sample - - [[./codeql-sqlite/TaintFlowDebugging.ql]] - - [[./codeql-sqlite/TaintFlowDebugging.md]] + - [[./codeql-sqlite-java/TaintFlowDebugging.ql]] + - [[./codeql-sqlite-java/TaintFlowDebugging.md]] *** Debugging data flow config (instead of taint flow), C @@ -81,34 +81,41 @@ - Recap the Java-based injection example. *** Customizations via codeql, java - - codeql-dataflow-sql-injection/README.org, [[file:codeql-dataflow-sql-injection/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]] - - TODO raw md from staging: codeql-dataflow-sql-injection/incoming.codeql-customizations-workshop.md + - codeql-dataflow-sql-injection-c/README.org, [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]] + - TODO raw md from staging: codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md -*** Model Editor: Simplest Case, Java - - Extend the Java example using the model editor. - - Explain how "models-as-data" works under the hood. - - customizations using models-as-data, via model editor - - editor as illustration tool - - customizations using models-as-data, via text - - continue with codeql-dataflow-sql-injection - - [[file:codeql-dataflow-sql-injection/README.org::*supplement codeql: Add to models-as-data][supplement codeql: Add to models-as-data]] +*** Model Editor: Single-function case (Java, SQLite sample) + 1. Extend the Java example using the model editor. The data and spec are present. + 1. This sample illustrates a subtle problem with the model editor: + =java.io.Console.readLine()= is already modeled as a /taint step/ and + therefore does not appear in the editor. However, we need it modeled as a /source/, + which requires special handling. + 2. Extension spec: [[file:~/work-gh/codeql-lab/.github/codeql/extensions/sqlite-db/codeql-pack.yml::name: pack/sqlite-db]] + 3. Extension data: [[file:~/work-gh/codeql-lab/.github/codeql/extensions/sqlite-db/models/sqlite.model.yml::extensions:]] + 4. Explanation: [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]] + 2. Explain how the "models-as-data" system works internally: + 1. Use a diagnostic query to enumerate current sources and sinks. + 2. Identify the relevant entry points (e.g., classes and QL predicates) + by inspecting representative queries such as: + [[file:~/work-gh/codeql-lab/ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql::@name Query built from user-controlled sources]] -*** Jedis Example: Scale Demonstration, Java - - Use Jedis (Java Redis client) to show modeling at scale. - - Emphasize quantity; CodeQL logic is unchanged from #2. +*** Model Editor: Jedis Example (Java Redis client) + 1. This sample is straightforward and has no surprises. + 2. There are many functions, but they all follow a simple, repetitive pattern. + 3. Use the model editor to define sources and sinks at scale. + 4. Explanation: [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]] + 5. Validation: [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]] + 6. Query usage: [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]] *** TODO Review: SQLite Injection Workshop (C) - C++ version of the workshop. -*** TODO (Optional) Extending Queries with Customizations.qll +*** TODO Extending Queries with Customizations.qll for C - Supported in most languages, but not C++ by default. - Can be enabled by building a custom CodeQL bundle. - Use this CLI tool: https://github.com/advanced-security/codeql-bundle - - - USE language in name - - Demonstrate using `codeql-lab`. - + in [[./codeql-sqlite/README.org]] + + in [[./codeql-sqlite-java/README.org]] + ql/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll #+BEGIN_SRC text abstract class FlowSource extends DataFlow::Node @@ -128,15 +135,24 @@ : ql/cpp/ql/lib/Customizations.qll *** TODO Use models-as-data QL code directly (no graphical editor). - - - + summary - The model definition files exist - Data files exist - There is no editor - Generate YAML manually. + + - Use the C version of the SQLite injection workshop as reinforcement. + 1. Code: [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]] + 2. Query: [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/SqlInjection.ql]] + - Apply models-as-data QL logic directly (no graphical editor). + 1. [ ] Add model for: =count = read(STDIN_FILENO, buf, BUFSIZE);= + 2. [ ] Add model for: =rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);= + 3. [X] Reference Java version (structure only, not editor): [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]] + 4. [ ] C-specific walkthrough: [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]] + - Manually define YAML models for standard functions (e.g., =read=) and test propagation via QL. + - customizations using models-as-data, via text - - continue with codeql-dataflow-sql-injection + - continue with codeql-dataflow-sql-injection-c - The ./ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql query works out of the box - Add =char* get_user_info()= as extra source for illustration diff --git a/codeql-bundling/README.org b/codeql-bundling/README.org index cd5e505..2c1d155 100644 --- a/codeql-bundling/README.org +++ b/codeql-bundling/README.org @@ -116,7 +116,7 @@ # # Is the read() function from the line - rg read ~/codeql-lab/codeql-dataflow-sql-injection/add-user.c + rg read ~/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c # 52: count = read(STDIN_FILENO, buf, BUFSIZE - 1); # present? diff --git a/codeql-dataflow-sql-injection/CodeQL-workshop-overview-only.pdf b/codeql-dataflow-sql-injection-c/CodeQL-workshop-overview-only.pdf similarity index 100% rename from codeql-dataflow-sql-injection/CodeQL-workshop-overview-only.pdf rename to codeql-dataflow-sql-injection-c/CodeQL-workshop-overview-only.pdf diff --git a/codeql-dataflow-sql-injection/README.org b/codeql-dataflow-sql-injection-c/README.org similarity index 100% rename from codeql-dataflow-sql-injection/README.org rename to codeql-dataflow-sql-injection-c/README.org diff --git a/codeql-dataflow-sql-injection/SqlInjection.ql b/codeql-dataflow-sql-injection-c/SqlInjection.ql similarity index 100% rename from codeql-dataflow-sql-injection/SqlInjection.ql rename to codeql-dataflow-sql-injection-c/SqlInjection.ql diff --git a/codeql-dataflow-sql-injection/add-user.c b/codeql-dataflow-sql-injection-c/add-user.c similarity index 100% rename from codeql-dataflow-sql-injection/add-user.c rename to codeql-dataflow-sql-injection-c/add-user.c diff --git a/codeql-dataflow-sql-injection/add-user.sh b/codeql-dataflow-sql-injection-c/add-user.sh similarity index 100% rename from codeql-dataflow-sql-injection/add-user.sh rename to codeql-dataflow-sql-injection-c/add-user.sh diff --git a/codeql-dataflow-sql-injection/admin b/codeql-dataflow-sql-injection-c/admin similarity index 100% rename from codeql-dataflow-sql-injection/admin rename to codeql-dataflow-sql-injection-c/admin diff --git a/codeql-dataflow-sql-injection/build.sh b/codeql-dataflow-sql-injection-c/build.sh similarity index 100% rename from codeql-dataflow-sql-injection/build.sh rename to codeql-dataflow-sql-injection-c/build.sh diff --git a/codeql-dataflow-sql-injection/codeql-dataflow-sql-injection.code-workspace b/codeql-dataflow-sql-injection-c/codeql-dataflow-sql-injection.code-workspace similarity index 100% rename from codeql-dataflow-sql-injection/codeql-dataflow-sql-injection.code-workspace rename to codeql-dataflow-sql-injection-c/codeql-dataflow-sql-injection.code-workspace diff --git a/codeql-dataflow-sql-injection/codeql-dataflow-sql-injection.md b/codeql-dataflow-sql-injection-c/codeql-dataflow-sql-injection.md similarity index 100% rename from codeql-dataflow-sql-injection/codeql-dataflow-sql-injection.md rename to codeql-dataflow-sql-injection-c/codeql-dataflow-sql-injection.md diff --git a/codeql-dataflow-sql-injection/codeql-pack.lock.yml b/codeql-dataflow-sql-injection-c/codeql-pack.lock.yml similarity index 100% rename from codeql-dataflow-sql-injection/codeql-pack.lock.yml rename to codeql-dataflow-sql-injection-c/codeql-pack.lock.yml diff --git a/codeql-dataflow-sql-injection/cpp-sqli-3fe610d-1.zip b/codeql-dataflow-sql-injection-c/cpp-sqli-3fe610d-1.zip similarity index 100% rename from codeql-dataflow-sql-injection/cpp-sqli-3fe610d-1.zip rename to codeql-dataflow-sql-injection-c/cpp-sqli-3fe610d-1.zip diff --git a/codeql-dataflow-sql-injection/dataflow-cropped.pdf b/codeql-dataflow-sql-injection-c/dataflow-cropped.pdf similarity index 100% rename from codeql-dataflow-sql-injection/dataflow-cropped.pdf rename to codeql-dataflow-sql-injection-c/dataflow-cropped.pdf diff --git a/codeql-dataflow-sql-injection/dataflow.key b/codeql-dataflow-sql-injection-c/dataflow.key similarity index 100% rename from codeql-dataflow-sql-injection/dataflow.key rename to codeql-dataflow-sql-injection-c/dataflow.key diff --git a/codeql-dataflow-sql-injection/dataflow.pdf b/codeql-dataflow-sql-injection-c/dataflow.pdf similarity index 100% rename from codeql-dataflow-sql-injection/dataflow.pdf rename to codeql-dataflow-sql-injection-c/dataflow.pdf diff --git a/codeql-dataflow-sql-injection/incoming.codeql-customizations-workshop.md b/codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md similarity index 100% rename from codeql-dataflow-sql-injection/incoming.codeql-customizations-workshop.md rename to codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md diff --git a/codeql-dataflow-sql-injection/qlpack.yml b/codeql-dataflow-sql-injection-c/qlpack.yml similarity index 100% rename from codeql-dataflow-sql-injection/qlpack.yml rename to codeql-dataflow-sql-injection-c/qlpack.yml diff --git a/codeql-dataflow-sql-injection/sarif-summary.jq b/codeql-dataflow-sql-injection-c/sarif-summary.jq similarity index 100% rename from codeql-dataflow-sql-injection/sarif-summary.jq rename to codeql-dataflow-sql-injection-c/sarif-summary.jq diff --git a/codeql-dataflow-sql-injection/session.ql b/codeql-dataflow-sql-injection-c/session.ql similarity index 100% rename from codeql-dataflow-sql-injection/session.ql rename to codeql-dataflow-sql-injection-c/session.ql diff --git a/codeql-duckdb/README.org b/codeql-duckdb-c/README.org similarity index 100% rename from codeql-duckdb/README.org rename to codeql-duckdb-c/README.org diff --git a/codeql-duckdb/codeql-pack.lock.yml b/codeql-duckdb-c/codeql-pack.lock.yml similarity index 100% rename from codeql-duckdb/codeql-pack.lock.yml rename to codeql-duckdb-c/codeql-pack.lock.yml diff --git a/codeql-duckdb/example.ql b/codeql-duckdb-c/example.ql similarity index 100% rename from codeql-duckdb/example.ql rename to codeql-duckdb-c/example.ql diff --git a/codeql-duckdb/qlpack.yml b/codeql-duckdb-c/qlpack.yml similarity index 100% rename from codeql-duckdb/qlpack.yml rename to codeql-duckdb-c/qlpack.yml diff --git a/codeql-jedis/README.org b/codeql-jedis-java/README.org similarity index 99% rename from codeql-jedis/README.org rename to codeql-jedis-java/README.org index 6f9f8b4..bea4421 100644 --- a/codeql-jedis/README.org +++ b/codeql-jedis-java/README.org @@ -305,7 +305,7 @@ [[../ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql]] * TODO Modeling sqlite as dependency - The tree [[../codeql-sqlite/]] contains a trivial sample taken from a workshop. It + The tree [[../codeql-sqlite-java/]] contains a trivial sample taken from a workshop. It uses =sqlite-jdbc-3.36.0.1.jar=, so we can use it to illustrate modeling on a smaller example. This one is unusual; the function java.io.Console.readLine() is already modeled, but as a taint step, not a diff --git a/codeql-jedis/codeql-pack.lock.yml b/codeql-jedis-java/codeql-pack.lock.yml similarity index 100% rename from codeql-jedis/codeql-pack.lock.yml rename to codeql-jedis-java/codeql-pack.lock.yml diff --git a/codeql-jedis/example.ql b/codeql-jedis-java/example.ql similarity index 100% rename from codeql-jedis/example.ql rename to codeql-jedis-java/example.ql diff --git a/codeql-jedis/qlpack.yml b/codeql-jedis-java/qlpack.yml similarity index 100% rename from codeql-jedis/qlpack.yml rename to codeql-jedis-java/qlpack.yml diff --git a/codeql-sqlite/AddUser.java b/codeql-sqlite-java/AddUser.java similarity index 100% rename from codeql-sqlite/AddUser.java rename to codeql-sqlite-java/AddUser.java diff --git a/codeql-sqlite/Illustrations.ql b/codeql-sqlite-java/Illustrations.ql similarity index 100% rename from codeql-sqlite/Illustrations.ql rename to codeql-sqlite-java/Illustrations.ql diff --git a/codeql-sqlite/README.org b/codeql-sqlite-java/README.org similarity index 100% rename from codeql-sqlite/README.org rename to codeql-sqlite-java/README.org diff --git a/codeql-sqlite/TaintFlowDebugging.md b/codeql-sqlite-java/TaintFlowDebugging.md similarity index 100% rename from codeql-sqlite/TaintFlowDebugging.md rename to codeql-sqlite-java/TaintFlowDebugging.md diff --git a/codeql-sqlite/TaintFlowDebugging.ql b/codeql-sqlite-java/TaintFlowDebugging.ql similarity index 100% rename from codeql-sqlite/TaintFlowDebugging.ql rename to codeql-sqlite-java/TaintFlowDebugging.ql diff --git a/codeql-sqlite/add-user b/codeql-sqlite-java/add-user similarity index 100% rename from codeql-sqlite/add-user rename to codeql-sqlite-java/add-user diff --git a/codeql-sqlite/admin b/codeql-sqlite-java/admin similarity index 100% rename from codeql-sqlite/admin rename to codeql-sqlite-java/admin diff --git a/codeql-sqlite/build.sh b/codeql-sqlite-java/build.sh similarity index 100% rename from codeql-sqlite/build.sh rename to codeql-sqlite-java/build.sh diff --git a/codeql-sqlite/codeql-pack.lock.yml b/codeql-sqlite-java/codeql-pack.lock.yml similarity index 100% rename from codeql-sqlite/codeql-pack.lock.yml rename to codeql-sqlite-java/codeql-pack.lock.yml diff --git a/codeql-sqlite/qlpack.yml b/codeql-sqlite-java/qlpack.yml similarity index 100% rename from codeql-sqlite/qlpack.yml rename to codeql-sqlite-java/qlpack.yml diff --git a/codeql-sqlite/sarif-summary.jq b/codeql-sqlite-java/sarif-summary.jq similarity index 100% rename from codeql-sqlite/sarif-summary.jq rename to codeql-sqlite-java/sarif-summary.jq diff --git a/codeql-sqlite/sqlite-jdbc-3.36.0.1.jar b/codeql-sqlite-java/sqlite-jdbc-3.36.0.1.jar similarity index 100% rename from codeql-sqlite/sqlite-jdbc-3.36.0.1.jar rename to codeql-sqlite-java/sqlite-jdbc-3.36.0.1.jar