hohn/codeql-lab
1
0
Fork 0
mirror of https://github.com/hohn/codeql-lab.git synced 2025-12-16 18:03:08 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add starting point for taint debugging java sqli

Browse Source
This commit is contained in:
Kristen Newbury
2025-07-30 11:55:22 -04:00
parent 08424828d6
commit d2595c657f
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
codeql-sqlite/TaintFlowDebugging.ql Normal file
View File

@@ -0,0 +1,67 @@
/**
* @name introduction workshop
* @description Sample SQL Injection problem
* @id test
* @kind path-problem
* @problem.severity warning
*/
import java
import semmle.code.java.dataflow.FlowSources
class ReadLineSource extends Source {
ReadLineSource() { this.getMethod().hasQualifiedName("java.io", "Console", "readLine") }
}
abstract class Source extends MethodCall { }
class Sink extends MethodCall {
Sink() { this.getMethod().hasQualifiedName("java.sql", "Statement", "executeUpdate") }
}
// from Sink s
// select s, ""
// from MethodCall mc
// where mc.getMethod().getName() = "readLine"
// select mc, mc.getMethod().getQualifiedName()
import semmle.code.java.dataflow.TaintTracking
module MyFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
//exists(Source s | source.asExpr() = s)
source.asExpr() instanceof Source
}
predicate isSink(DataFlow::Node sink) {
//sink.asExpr() instanceof Sink
exists(Sink sink2 | sink.asExpr() = sink2.getArgument(_))
//any()
}
predicate isBarrier(DataFlow::Node node) {
exists(MethodCall s |
s.getMethod().getName() = "hypotheticalSanitizer" and
s.getAnArgument() = node.asExpr()
)
}
// predicate isAdditionalFlowStep(DataFlow::Node inNode, DataFlow::Node outNode) {
// exists(MethodCall mc |
// outNode.asExpr() = mc and
// mc.getMethod().hasQualifiedName("java.lang", "String", "format") and
// inNode.asExpr() = mc.getAnArgument()
// )
// // exists(MethodCall mc |
// // mc.getAnArgument() = inNode.asExpr() and
// // outNode.asExpr() = mc
// // )
// }
}
//purposely does not find the result
module MyFlow = DataFlow::Global<MyFlowConfiguration>;
import MyFlow::PathGraph
from MyFlow::PathNode source, MyFlow::PathNode sink
where MyFlow::flowPath(source, sink)
select sink, source, sink, "Potential sql injection here "