Merge pull request #1 from hohn/query-help

Add sample for including query help

session/AddUser.java

@@ -0,0 +1,45 @@
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+
+public class AddUser {
+    public static Connection connect() {
+        Connection conn = null;
+        try {
+            String url = "jdbc:sqlite:users.sqlite";
+            conn = DriverManager.getConnection(url);
+            System.out.println("Connected...");
+        } catch (SQLException e) {
+            System.out.println(e.getMessage());
+        }
+        return conn;
+    }
+
+    static String get_user_info() {
+        System.out.println("Enter name:");
+        return System.console().readLine();
+    }
+
+    static void write_info(int id, String info) {
+        try (Connection conn = connect()) { 
+            String query = String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
+            conn.createStatement().executeUpdate(query);
+            System.err.printf("Sent: %s", query);
+        } catch (SQLException e) {
+            System.out.println(e.getMessage());
+        }
+    }
+    
+    static int get_new_id() {
+        return (int)(Math.random()*100000);
+    }
+
+    public static void main(String[] args) {
+        String info;
+        int id;
+
+        info = get_user_info();
+        id = get_new_id();
+        write_info(id, info);
+    }
+}

session/README.org

@@ -48,7 +48,6 @@
             --rerun                                  \
             --format=sarif-latest                    \
             --output java-sqli.sarif                 \
-            --sarif-include-query-help=always        \
             --                                       \
             $DB                                      \
             $SESSIONDIR/full-query.ql
@@ -71,3 +70,70 @@
             ...
    #+END_SRC
    
+** (optional) Include query help in the SARIF file 
+   Query results are available in several output formats using the cli.  The
+   following produces the sarif format, a json-based result description.  It
+   includes the markdown-formatted query help.
+
+   Requires [[file:~/local/codeql-workshop-sql-injection-java/src/README.org::*Build the codeql database][Build the codeql database]]
+
+   #+BEGIN_SRC sh
+     # The setup information from before
+     SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
+     DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
+
+     # The directory containing the query
+     SESSIONDIR=$(pwd -P)
+
+     # Check paths
+     echo $DB
+     echo $SRCDIR
+
+     # Convert .qhelp to .md
+     codeql generate query-help                      \
+            --format=markdown                        \
+            -o full-query.md                         \
+            full-query.ql
+
+     # Run the query
+     codeql database analyze                         \
+            -v                                       \
+            --ram=14000                              \
+            -j12                                     \
+            --rerun                                  \
+            --format=sarif-latest                    \
+            --output java-sqli.sarif                 \
+            --sarif-include-query-help=always        \
+            --                                       \
+            $DB                                      \
+            $SESSIONDIR/full-query.ql
+
+     # Check for a substring of the help to make sure it's included
+     grep  -l 'solution' *
+
+     # Examine the file in an editor
+     edit java-sqli.sarif
+   #+END_SRC
+
+   An example of using the sarif data is in the the jq script [[./sarif-summary.jq]].
+   When run against the sarif input via 
+   #+BEGIN_SRC sh
+     jq --raw-output --join-output  -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
+   #+END_SRC
+   it produces output in a form close to that of compiler error messages:
+   #+BEGIN_SRC text
+     query-id: message line 
+         Path
+            ...
+         Path
+            ...
+   #+END_SRC
+   
+** (optional) Write query help
+   Help is included from a markdown file.  For a query =foo.ql= the file =foo.md=
+   is included in the SARIF output when the
+   : --sarif-include-query-help=always
+   flag is set.
+
+   To write such a help file, copy the template in [[./help-template.md]] and
+   customize the content.

session/full-query.qhelp

@@ -0,0 +1,47 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Loops can contain multiple exit conditions, either directly in the loop
+condition or as guards around <code>break</code> or <code>return</code>
+statements.  If none of the exit conditions can ever be satisfied, then
+the loop will never terminate.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When writing a loop that is intended to terminate, make sure that all the
+necessary exit conditions can be satisfied and that loop termination is clear.
+</p>
+
+</recommendation>
+
+<example>
+<p>
+The following example searches for a field of a given name, and intends to
+throw an exception if the field cannot be found.  However, if the field cannot
+be found, the double loop structure means that the exit conditions will never
+be met, resulting in an infinite loop.
+</p>
+<sample src="AddUser.java" />
+
+<p>
+The solution is to rewrite the code as follows using an <code>if</code>-statement.
+</p>
+
+</example>
+
+<references>
+
+<li>
+Java Language Specification:
+<a href="https://docs.oracle.com/javase/specs/jls/se11/html/jls-14.html">Blocks and Statements</a>.
+</li>
+
+</references>
+
+</qhelp>

session/help-template.md

@@ -0,0 +1,18 @@
+# SQLI Vulnerability
+Loops can ...
+
+## Recommendation
+When writing...
+
+## Example
+The following example ...
+
+```java
+import java.sql.Connection;
+...
+```
+The solution is ...
+
+## References
+* Java Language Specification: [Blocks and Statements](https://docs.oracle.com/javase/specs/jls/se11/html/jls-14.html).
+