hohn/codeql-lab
1
0
Fork 0
mirror of https://github.com/hohn/codeql-lab.git synced 2025-12-16 18:03:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

clarify *** Customizations via Model Editor: Single-function case (Java SQLite sample)

Browse Source
This commit is contained in:
Michael Hohn
2025-07-30 15:57:02 -07:00
committed by =Michael Hohn
parent 68be793ee2
commit 732e3706e4
1 changed files with 17 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
README.org
View File

@@ -109,19 +109,23 @@
in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]]. in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]].
*** Customizations via Model Editor: Single-function case (Java SQLite sample) *** Customizations via Model Editor: Single-function case (Java SQLite sample)
1. Extend the Java example using the model editor. The data and spec are present. We extend the Java SQLite example using the model editor, with both the
1. This sample illustrates a subtle problem with the model editor: necessary data and specification already available. This example highlights a
=java.io.Console.readLine()= is already modeled as a /taint step/ and subtle issue with the model editor: the method =java.io.Console.readLine()= is
therefore does not appear in the editor. However, we need it modeled as a /source/, already modeled as a taint *step* and therefore does not appear in the editor
which requires special handling. interface, even though we need it modeled as a *source*. This requires special
2. Extensions included: [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]] handling. The relevant extensions are defined in
3. Extension data: [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]] [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data
4. Explanation: [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]] is provided in
2. Explain how the "models-as-data" system works internally: [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed
1. Use a diagnostic query to enumerate current sources and sinks. explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]].
2. Identify the relevant entry points (e.g., classes and QL predicates)
by inspecting representative queries such as: To support this, we explain how the "models-as-data" system works
[[file:~/work-gh/codeql-lab/ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql::@name Query built from user-controlled sources]] internally. A diagnostic query can be used to enumerate currently recognized
sources and sinks. From there, the relevant entry points -- such as QL classes
and predicates -- can be identified by inspecting representative queries like
[[./ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql][SqlTainted.ql]].
*** TODO Review: SQLite Injection Workshop (C) *** TODO Review: SQLite Injection Workshop (C)
- C++ version of the workshop. - C++ version of the workshop.