* SQL injection example This directory contains the codeql session snapshots as well as the full query [[./full-query-old-style.ql]] The rest of this README contains a description of the query's development. ** Develop the query bottom-up 1. Identify the /source/ part of the : System.console().readLine(); expression, the =buf= argument. Start from a =from..where..select=, then convert to a predicate. 2. Identify the /sink/ part of the : conn.createStatement().executeUpdate(query); expression, the =query= argument. Again start from =from..where..select=, then convert to a predicate. 3. Fill in the /taintflow configuration/ boilerplate. The final query is in [[./full-query.ql]] ** (optional) Review of the results via SARIF file Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description. #+BEGIN_SRC sh # The setup information from before SRCDIR=$HOME/local/codeql-training-material.java-sqli/java/codeql-dataflow-sql-injection DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD) # Check paths echo $DB echo $SRCDIR # To see the help codeql database analyze -h # Run a query codeql database analyze \ -v \ --ram=14000 \ -j12 \ --rerun \ --search-path ~/local/vmsync/ql \ --format=sarif-latest \ --output java-sqli.sarif \ -- \ $DB \ $SRCDIR/SqlInjection.ql # Examine the file in an editor edit java-sqli.sarif #+END_SRC An example of using the sarif data is in the the jq script [[./sarif-summary.jq]]. When run against the sarif input via #+BEGIN_SRC sh jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt #+END_SRC it produces output in a form close to that of compiler error messages: #+BEGIN_SRC text query-id: message line Path ... Path ... #+END_SRC