Initial clone from https://github.com/advanced-security/codeql-workshops-staging/tree/master/java/codeql-dataflow-sql-injection

src/AddUser.java

@@ -0,0 +1,45 @@
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.SQLException;
+
+public class AddUser {
+    public static Connection connect() {
+        Connection conn = null;
+        try {
+            String url = "jdbc:sqlite:users.sqlite";
+            conn = DriverManager.getConnection(url);
+            System.out.println("Connected...");
+        } catch (SQLException e) {
+            System.out.println(e.getMessage());
+        }
+        return conn;
+    }
+
+    static String get_user_info() {
+        System.out.println("Enter name:");
+        return System.console().readLine();
+    }
+
+    static void write_info(int id, String info) {
+        try (Connection conn = connect()) { 
+            String query = String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
+            conn.createStatement().executeUpdate(query);
+            System.err.printf("Sent: %s", query);
+        } catch (SQLException e) {
+            System.out.println(e.getMessage());
+        }
+    }
+    
+    static int get_new_id() {
+        return (int)(Math.random()*100000);
+    }
+
+    public static void main(String[] args) {
+        String info;
+        int id;
+
+        info = get_user_info();
+        id = get_new_id();
+        write_info(id, info);
+    }
+}

src/Makefile

@@ -0,0 +1,26 @@
+add-user: add-user.c
+	clang -Wall add-user.c -lsqlite3 -o add-user
+
+clean:
+	rm -f README.html add-user cpp-sqli.sarif cpp-sqli.txt users.log
+	rm -f users.sqlite *.bak *~ cpp-sqli-demo.zip
+
+ZIPLIST :=					\
+    Makefile					\
+    README.org					\
+    SqlInjection.ql				\
+    add-user.c					\
+    add-user.sh					\
+    admin					\
+    build.sh					\
+    codeql-dataflow-sql-injection.md		\
+    codeql-overview-for-workshop.pdf		\
+    cpp-sqli.code-workspace			\
+    dataflow-cropped.pdf			\
+    qlpack.yml					\
+    sarif-summary.jq				\
+    session.ql
+
+demo-zip: 
+	rm -f cpp-sqli-demo.zip
+	zip cpp-sqli-demo.zip $(ZIPLIST)

src/README.org

@@ -0,0 +1,218 @@
+* SQL injection example
+** Setup and sample run
+   The jdbc connector at https://github.com/xerial/sqlite-jdbc, from [[https://github.com/xerial/sqlite-jdbc/releases/download/3.36.0.1/sqlite-jdbc-3.36.0.1.jar][here]] is
+   included in the git repository.
+
+   #+BEGIN_SRC sh
+     # Use a simple headline prompt 
+     PS1='
+     \033[32m---- SQL injection demo ----\[\033[33m\033[0m\]
+     $?:$ '
+
+     
+     # Build
+     ./build.sh
+
+     # Prepare db
+     ./admin -r
+     ./admin -c
+     ./admin -s 
+
+     # Add regular user interactively
+     ./add-user 2>> users.log
+     First User
+
+     # Check
+     ./admin -s
+
+     # Add Johnny Droptable 
+     ./add-user 2>> users.log
+     Johnny'); DROP TABLE users; --
+
+     # And the problem:
+     ./admin -s
+
+     # Check the log
+     tail users.log
+   #+END_SRC
+
+** Identify the problem
+   =./add-user= is reading from =STDIN=, and writing to a database; looking at the code in
+   [[./AddUser.java]] leads to
+   : System.console().readLine();
+   for the read and 
+   : conn.createStatement().executeUpdate(query);
+   for the write.
+
+   This problem is thus a dataflow problem; in codeql terminology we have
+   - a /source/ at the =System.console().readLine();=
+   - a /sink/ at the =conn.createStatement().executeUpdate(query);=
+
+   We write codeql to identify these two, and then connect them via
+   - a /dataflow configuration/ -- for this problem, the more general /taintflow
+     configuration/. 
+   
+** Build codeql database
+   To get started, build the codeql database (adjust paths to your setup):
+   #+BEGIN_SRC sh
+     # Build the db with source commit id.
+     export PATH=$HOME/local/vmsync/codeql250:"$PATH"
+     SRCDIR=$(pwd)
+     DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
+
+     echo $DB
+     test -d "$DB" && rm -fR "$DB"
+     mkdir -p "$DB"
+
+     cd $SRCDIR && codeql database create --language=java -s . -j 8 -v $DB --command='./build.sh'
+
+     # Check for AddUser in the db
+     unzip -v $DB/src.zip | grep AddUser
+   #+END_SRC
+
+   Then add this database directory to your VS Code =DATABASES= tab.
+
+
+** Build codeql database in steps
+   For larger projects, using a single command to build everything is costly when
+   any part of the build fails.
+   
+   To build a database in steps, use the following sequence, adjusting paths to
+   your setup:
+   #+BEGIN_SRC sh
+     # Build the db with source commit id.
+     export PATH=$HOME/local/vmsync/codeql250:"$PATH"
+     SRCDIR=$HOME/local/codeql-training-material.java-sqli/java/codeql-dataflow-sql-injection
+     DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
+
+     # Check paths
+     echo $DB
+     echo $SRCDIR
+
+     # Prepare db directory
+     test -d "$DB" && rm -fR "$DB"
+     mkdir -p "$DB"
+
+     # Run the build
+     cd $SRCDIR
+     codeql database init --language=java -s . -v $DB
+     # Repeat trace-command as needed to cover all targets
+     codeql database trace-command -v $DB -- make 
+     codeql database finalize -j4 $DB
+   #+END_SRC
+
+   Then add this database directory to your VS Code =DATABASES= tab.
+
+** Develop the query bottom-up
+   1. Identify the /source/ part of the 
+      : System.console().readLine();
+      expression, the =buf= argument.  
+      Start from a =from..where..select=, then convert to a predicate.
+
+   2. Identify the /sink/ part of the
+      : conn.createStatement().executeUpdate(query);
+      expression, the =query= argument.  Again start from =from..where..select=,
+      then convert to a predicate.
+
+   3. Fill in the /taintflow configuration/ boilerplate
+      #+BEGIN_SRC java
+        class SqliFlowConfig extends TaintTracking::Configuration {
+            SqliFlowConfig() { this = "SqliFlow" }
+
+            override predicate isSource(DataFlow::Node node) {
+                none()
+                    }
+
+            override predicate isSink(DataFlow::Node node) {
+                none()
+                    }
+        }
+      #+END_SRC
+
+   The final query (without =isAdditionalTaintStep=) is
+   #+BEGIN_SRC java
+     /**
+      ,* @name SQLI Vulnerability
+      ,* @description Using untrusted strings in a sql query allows sql injection attacks.
+      ,* @kind path-problem
+      ,* @id java/SQLIVulnerable
+      ,* @problem.severity warning
+      ,*/
+
+     import java
+     import semmle.code.java.dataflow.TaintTracking
+     import DataFlow::PathGraph
+
+     class SqliFlowConfig extends TaintTracking::Configuration {
+         SqliFlowConfig() { this = "SqliFlow" }
+
+         override predicate isSource(DataFlow::Node source) {
+            // System.console().readLine();
+            exists(Call read |
+                read.getCallee().getName() = "readLine" and
+                read = source.asExpr()
+            )
+        }
+
+         override predicate isSink(DataFlow::Node sink) {
+            // conn.createStatement().executeUpdate(query);
+            exists(Call exec |
+                exec.getCallee().getName() = "executeUpdate" and
+                exec.getArgument(0) = sink.asExpr()
+            )
+        }
+     }
+
+     from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+     where conf.hasFlowPath(source, sink)
+     select sink, source, sink, "Possible SQL injection"
+   #+END_SRC
+
+** Optional: sarif file review of the results
+   Query results are available in several output formats using the cli.  The
+   following produces the sarif format, a json-based result description.
+
+   #+BEGIN_SRC sh
+     # The setup information from before
+     export PATH=$HOME/local/vmsync/codeql250:"$PATH"
+     SRCDIR=$HOME/local/codeql-training-material.java-sqli/java/codeql-dataflow-sql-injection
+     DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
+
+     # Check paths
+     echo $DB
+     echo $SRCDIR
+
+     # To see the help
+     codeql database analyze -h
+
+     # Run a query
+     codeql database analyze                         \
+            -v                                       \
+            --ram=14000                              \
+            -j12                                     \
+            --rerun                                  \
+            --search-path ~/local/vmsync/ql          \
+            --format=sarif-latest                    \
+            --output java-sqli.sarif                 \
+            --                                       \
+            $DB                                      \
+            $SRCDIR/SqlInjection.ql
+
+     # Examine the file in an editor
+     edit java-sqli.sarif
+   #+END_SRC
+
+   An example of using the sarif data is in the the jq script [[./sarif-summary.jq]].
+   When run against the sarif input via 
+   #+BEGIN_SRC sh
+     jq --raw-output --join-output  -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
+   #+END_SRC
+   it produces output in a form close to that of compiler error messages:
+   #+BEGIN_SRC text
+     query-id: message line 
+         Path
+            ...
+         Path
+            ...
+   #+END_SRC
+   

src/SqlInjection.ql

@@ -0,0 +1,44 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/SQLIVulnerable
+ * @problem.severity warning
+ */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+class SqliFlowConfig extends TaintTracking::Configuration {
+    SqliFlowConfig() { this = "SqliFlow" }
+
+    override predicate isSource(DataFlow::Node source) {
+        // System.console().readLine();
+        exists(Call read |
+            read.getCallee().getName() = "readLine" and
+            read = source.asExpr()
+        )
+    }
+
+    override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
+        // Extra taint step
+        //     String.format("INSERT INTO users VALUES (%d, '%s')", id, info);
+        // Not needed here, but may be needed for larger libraries.
+        none()
+    }
+
+    override predicate isSink(DataFlow::Node sink) {
+        // conn.createStatement().executeUpdate(query);
+        exists(Call exec |
+            exec.getCallee().getName() = "executeUpdate" and
+            exec.getArgument(0) = sink.asExpr()
+        )
+    }
+}
+
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"

src/add-user

@@ -0,0 +1,3 @@
+#!/bin/sh
+java -cp ".:sqlite-jdbc-3.36.0.1.jar" AddUser $@
+

src/admin

@@ -0,0 +1,60 @@
+#!/bin/bash
+
+set -e
+
+script=$(basename "$0")
+
+GREEN='\033[0;32m'
+MAGENTA='\033[0;95m'
+NC='\033[0m'
+RED='\033[0;31m'
+YELLOW='\033[0;33m'
+
+help() {
+    echo -e "Usage: ./${script} [options]" \
+         "\n${YELLOW}Options: ${NC}" \
+         "\n\t -h  ${GREEN}Show Help ${NC}" \
+         "\n\t -c  ${MAGENTA}Creates a users table ${NC}" \
+         "\n\t -s  ${MAGENTA}Shows all records in the users table ${NC}" \
+         "\n\t -r  ${RED}Removes users table ${NC}" 
+}
+remove-db () {
+    rm users.sqlite
+}
+
+create-db () {
+    echo '
+    CREATE TABLE users (
+        user_id INTEGER not null,
+        name TEXT NOT NULL
+    );
+    '  | sqlite3 users.sqlite 
+}        
+
+show-db () {
+    echo '
+    SELECT * FROM users;
+    ' | sqlite3 users.sqlite 
+}
+
+if [ $# == 0 ]; then 
+   help
+   exit 0
+fi
+
+while getopts "h?csr" option
+do
+    case "${option}"
+    in
+        h|\?)
+            help
+            exit 0
+        ;;
+        c)  create-db
+        ;;
+        s)  show-db
+        ;;
+        r)  remove-db
+        ;;
+    esac
+done

src/build.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+javac AddUser.java
+

src/sarif-summary.jq

@@ -0,0 +1,60 @@
+# -*- sh -*-
+.runs | .[] | .results | .[] |
+    ( (.ruleId, ": ", 
+       (.message.text | split("\n") | ( .[0], " [", length-1 , " more]")),
+       "\n")
+      , 
+      (if (.codeFlows != null) then
+          (.codeFlows | .[] | 
+               ("    Path\n"
+                ,
+                ( .threadFlows | .[] | .locations | .[] | .location | "        "
+                  ,
+                  ( .physicalLocation | ( .artifactLocation.uri, ":", .region.startLine, ":"))
+                  ,
+                  (.message.text, " ")
+                  , 
+                  "\n"
+                )))
+          else 
+              (.locations | .[] |
+                   ( "        "
+                     ,
+                     (.physicalLocation | ( .artifactLocation.uri, ":", .region.startLine, ":"))
+                   ))
+              ,
+              # .message.text, 
+              "\n"
+              end)
+    )  | tostring 
+
+# This script extracts the following parts of the sarif output:
+# 
+# # problem
+# "runs" : [ {
+#   "results" : [ {
+#     "ruleId" : "cpp/UncheckedErrorCode",
+
+# # path problem
+# "runs" : [ {
+#   "tool" : {
+#     "driver" : {
+#       "rules" : [ {
+#         "properties" : {
+#           "kind" : "path-problem",
+
+# "runs" : [ {
+#   "results" : [ {
+#     "ruleId" : "cpp/DangerousArithmetic",
+#     "ruleIndex" : 6,
+#     "message" : {
+#       "text" : "Potential overflow (conversion: int -> unsigned int)\nPotential overflow (con
+
+# "runs" : [ {
+#   "results" : [ {
+#     "codeFlows" : [ {
+#       "threadFlows" : [ {
+#         "locations" : [ {
+#           "location" : {
+#             "message" : {
+#               "text" : "buff"