SQL injection example
This directory contains the codeql session snapshots as well as the full query ./full-query-old-style.ql
The rest of this README contains a description of the query's development.
Develop the query bottom-up
-
Identify the source part of the
System.console().readLine();
expression, the
bufargument. Start from afrom..where..select, then convert to a predicate. -
Identify the sink part of the
conn.createStatement().executeUpdate(query);
expression, the
queryargument. Again start fromfrom..where..select, then convert to a predicate. - Fill in the taintflow configuration boilerplate.
The final query is in ./full-query.ql
(optional) Review of the results via SARIF file
Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description.
Requires Build the codeql database
# The setup information from before
SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
# The directory containing the query
SESSIONDIR=$(pwd -P)
# Check paths
echo $DB
echo $SRCDIR
# To see the help
codeql database analyze -h
# Run a query \
codeql database analyze \
-v \
--ram=14000 \
-j12 \
--rerun \
--format=sarif-latest \
--output java-sqli.sarif \
-- \
$DB \
$SESSIONDIR/full-query.ql
# Examine the file in an editor
edit java-sqli.sarifAn example of using the sarif data is in the the jq script ./sarif-summary.jq. When run against the sarif input via
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txtit produces output in a form close to that of compiler error messages:
query-id: message line
Path
...
Path
...(optional) Include query help in the SARIF file
Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description. It includes the markdown-formatted query help.
Requires Build the codeql database
# The setup information from before
SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
# The directory containing the query
SESSIONDIR=$(pwd -P)
# Check paths
echo $DB
echo $SRCDIR
# Convert .qhelp to .md
codeql generate query-help \
--format=markdown \
-o full-query.md \
full-query.ql
# Run the query
codeql database analyze \
-v \
--ram=14000 \
-j12 \
--rerun \
--format=sarif-latest \
--output java-sqli.sarif \
--sarif-include-query-help=always \
-- \
$DB \
$SESSIONDIR/full-query.ql
# Check for a substring of the help to make sure it's included
grep -l 'solution' *
# Examine the file in an editor
edit java-sqli.sarifAn example of using the sarif data is in the the jq script ./sarif-summary.jq. When run against the sarif input via
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txtit produces output in a form close to that of compiler error messages:
query-id: message line
Path
...
Path
...(optional) Write query help
Help is included from a markdown file. For a query foo.ql the file foo.md
is included in the SARIF output when the
--sarif-include-query-help=always
flag is set.
To write such a help file, copy the template in ./help-template.md and customize the content.