From b65a498fcc7d3021426fb8080b9cee8866be6cf9 Mon Sep 17 00:00:00 2001 From: Michael Hohn Date: Wed, 30 Jul 2025 15:43:17 -0700 Subject: [PATCH] revise *** Review: SQLite Injection Workshop, Java *** Customizations via codeql (Java) --- README.org | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) diff --git a/README.org b/README.org index 24b3fdd..9374231 100644 --- a/README.org +++ b/README.org @@ -78,20 +78,34 @@ ** Modeling *** Review: SQLite Injection Workshop, Java - - Recap the Java-based injection example. + We begin with a recap of the Java-based injection example, focusing on the + vulnerable code in [[./codeql-sqlite-java/AddUser.java][AddUser.java]]. Following that, we examine a fully manual + CodeQL query available in [[./codeql-sqlite-java/full-query.ql][full-query.ql]], which was written to explicitly trace + tainted data through the program. Next, we explore the out-of-the-box query + [[./ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql][SqlTainted.ql]] included in the standard CodeQL packs, and conclude with an + inspection of the relevant base classes and framework modeling in + [[./codeql-sqlite-java/Illustrations.ql][Illustrations.ql]]. -*** Customizations via codeql, java - - codeql-dataflow-sql-injection-c/README.org, [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]] - - TODO raw md from staging: codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md +*** Customizations via codeql (Java) + To customize CodeQL for Java, we identify and extend base classes to add + custom flow sources and sinks. A general explanation of this approach is + available in the file [[./codeql-dataflow-sql-injection-c/README.org][README.org]], particularly + the section [[file:codeql-dataflow-sql-injection-c/README.org::*supplement codeql: Add to FlowSource or a subclass][supplement codeql: Add to FlowSource or a subclass]]. For Java, + [[./ql/java/ql/lib/java.qll][java.qll]] includes [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which provides extension points for + custom flow modeling -- this structure is common across most CodeQL-supported + languages, with the notable exception of C. Further details on this + customization process can be found in + [[./codeql-dataflow-sql-injection-c/incoming.codeql-customizations-workshop.md][incoming.codeql-customizations-workshop.md]]. -*** Model Editor: Single-function case (Java, SQLite sample) + +*** Model Editor: Single-function case (Java SQLite sample) 1. Extend the Java example using the model editor. The data and spec are present. 1. This sample illustrates a subtle problem with the model editor: =java.io.Console.readLine()= is already modeled as a /taint step/ and therefore does not appear in the editor. However, we need it modeled as a /source/, which requires special handling. - 2. Extension spec: [[file:~/work-gh/codeql-lab/.github/codeql/extensions/sqlite-db/codeql-pack.yml::name: pack/sqlite-db]] - 3. Extension data: [[file:~/work-gh/codeql-lab/.github/codeql/extensions/sqlite-db/models/sqlite.model.yml::extensions:]] + 2. Extensions included: [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]] + 3. Extension data: [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]] 4. Explanation: [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]] 2. Explain how the "models-as-data" system works internally: 1. Use a diagnostic query to enumerate current sources and sinks. @@ -139,7 +153,7 @@ - The model definition files exist - Data files exist - There is no editor - - Generate YAML manually. + - Generate YAML manually - Use the C version of the SQLite injection workshop as reinforcement. 1. Code: [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]]