mirror of
https://github.com/hohn/codeql-lab.git
synced 2025-12-16 18:03:08 +01:00
major revisions
This commit is contained in:
Michael Hohn
committed by
=Michael Hohn
=Michael Hohn
parent
c46f2260ca
commit
3869a61388
78
README.org
78
README.org
@@ -74,9 +74,27 @@
|
||||
- [[./codeql-sqlite-java/TaintFlowDebugging.ql]]
|
||||
- [[./codeql-sqlite-java/TaintFlowDebugging.md]]
|
||||
|
||||
*** Debugging data flow config (instead of taint flow), C
|
||||
*** TODO Debugging data flow config (instead of taint flow), C
|
||||
A corresponding example for C is planned, using a simplified query to trace
|
||||
value propagation in [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]].
|
||||
Unlike Java, C may require manual modeling even to visualize basic flows.
|
||||
|
||||
** Modeling
|
||||
There are two primary approaches to modeling: direct use of CodeQL predicates
|
||||
and the models-as-data system. The models-as-data system is implemented in QL
|
||||
but relies on external YAML files that are interpreted at query evaluation
|
||||
time.
|
||||
|
||||
The model editor provides a GUI for managing YAML-based models, but the
|
||||
underlying format is identical to that used by the models-as-data system. In C
|
||||
and other cases where GUI support is limited or unavailable, we write these
|
||||
YAML models manually and invoke them directly from queries.
|
||||
|
||||
When YAML models are written directly, the use of GPT-based tooling becomes
|
||||
very natural. GPTs can extract function signatures, parameter semantics, and
|
||||
flow annotations from documentation or code examples, then generate valid YAML
|
||||
model entries automatically.
|
||||
|
||||
*** Review: SQLite Injection Workshop, Java
|
||||
We begin with a recap of the Java-based injection example, focusing on the
|
||||
vulnerable code in [[./codeql-sqlite-java/AddUser.java][AddUser.java]]. Following that, we examine a fully manual
|
||||
@@ -128,31 +146,10 @@
|
||||
|
||||
|
||||
*** Review: SQLite Injection Workshop (C)
|
||||
This is the C version of the workshop.
|
||||
|
||||
*** Extending Queries with Customizations.qll for C
|
||||
While most CodeQL-supported languages provide out-of-the-box support for
|
||||
=Customizations.qll=, C and C++ do not include this by default. However, it is
|
||||
possible to enable such support by building a custom CodeQL bundle. This can
|
||||
be done using the CLI tool at
|
||||
https://github.com/advanced-security/codeql-bundle. Since the tool functions
|
||||
largely as a black box, we provide a more detailed illustration of the
|
||||
underlying steps.
|
||||
|
||||
A working demonstration is available in
|
||||
[[./codeql-dataflow-sql-injection-c/README.org]]. In languages like Java,
|
||||
=Customizations.qll= is included automatically via imports from
|
||||
=<language>.qll=, such as [[./ql/java/ql/lib/java.qll][java.qll]] importing [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which defines
|
||||
user-extensible predicates for flow modeling.
|
||||
|
||||
For C/C++, the process requires explicit modification:
|
||||
1. Modify =ql/cpp/ql/lib/cpp.qll= to import =Customizations.qll=.
|
||||
2. Create and populate =ql/cpp/ql/lib/Customizations.qll= with custom sources/sinks or extensions.
|
||||
3. Rebuild the CodeQL bundle to include these changes.
|
||||
|
||||
This customization enables consistent user-defined flow modeling across
|
||||
languages, making it possible to reuse modeling patterns from Java or Python
|
||||
in C/C++ contexts.
|
||||
This is the C version of the injection workshop, based on
|
||||
[[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]]. It
|
||||
serves as the basis for both the "models-as-data" manual modeling and the
|
||||
extension via Customizations.qll.
|
||||
|
||||
*** Use models-as-data QL code directly (no graphical editor)
|
||||
This section focuses on applying the models-as-data system without using the
|
||||
@@ -179,6 +176,35 @@
|
||||
calls a function already modeled as a source—to illustrate how user-defined
|
||||
extensions propagate through the query logic.
|
||||
|
||||
*** Extending Queries with Customizations.qll for C
|
||||
The manual YAML modeling approach from the previous section works well for
|
||||
isolated cases. However, to integrate seamlessly with idiomatic CodeQL
|
||||
queries, we show how to extend the standard QL libraries via
|
||||
=Customizations.qll=
|
||||
|
||||
While most CodeQL-supported languages provide out-of-the-box support for
|
||||
=Customizations.qll=, C and C++ do not include this by default. However, it is
|
||||
possible to enable such support by building a custom CodeQL bundle. This can
|
||||
be done using the CLI tool at
|
||||
https://github.com/advanced-security/codeql-bundle. Since the tool functions
|
||||
largely as a black box, we provide a more detailed illustration of the
|
||||
underlying steps.
|
||||
|
||||
A working demonstration is available in
|
||||
[[./codeql-dataflow-sql-injection-c/README.org]]. In languages like Java,
|
||||
=Customizations.qll= is included automatically via imports from
|
||||
=<language>.qll=, such as [[./ql/java/ql/lib/java.qll][java.qll]] importing [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which defines
|
||||
user-extensible predicates for flow modeling.
|
||||
|
||||
For C/C++, the process requires explicit modification:
|
||||
1. Modify =ql/cpp/ql/lib/cpp.qll= to import =Customizations.qll=.
|
||||
2. Create and populate =ql/cpp/ql/lib/Customizations.qll= with custom sources/sinks or extensions.
|
||||
3. Rebuild the CodeQL bundle to include these changes.
|
||||
|
||||
This customization enables consistent user-defined flow modeling across
|
||||
languages, making it possible to reuse modeling patterns from Java or Python
|
||||
in C/C++ contexts.
|
||||
|
||||
** TODO codeql-bundling
|
||||
TBD: detailed description of
|
||||
https://github.com/advanced-security/codeql-bundle, in
|
||||
|
||||
Reference in New Issue
Block a user