hohn/codeql-workshop-sql-injection-java
1
0
Fork 0
mirror of https://github.com/hohn/codeql-workshop-sql-injection-java.git synced 2025-12-16 02:33:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
codeql-workshop-sql-injecti…/session/README.org
Michael Hohn 561552bbee Add query help template in markdown format
2024-04-17 11:29:59 -07:00

140 lines
4.9 KiB
Org Mode
Raw Permalink Blame History

* SQL injection example
This directory contains the codeql session snapshots as well as the full query
[[./full-query-old-style.ql]]
The rest of this README contains a description of the query's development.
** Develop the query bottom-up
1. Identify the /source/ part of the
: System.console().readLine();
expression, the =buf= argument.
Start from a =from..where..select=, then convert to a predicate.
2. Identify the /sink/ part of the
: conn.createStatement().executeUpdate(query);
expression, the =query= argument. Again start from =from..where..select=,
then convert to a predicate.
3. Fill in the /taintflow configuration/ boilerplate.
The final query is in [[./full-query.ql]]
** (optional) Review of the results via SARIF file
Query results are available in several output formats using the cli. The
following produces the sarif format, a json-based result description.
Requires [[file:~/local/codeql-workshop-sql-injection-java/src/README.org::*Build the codeql database][Build the codeql database]]
#+BEGIN_SRC sh
# The setup information from before
SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
# The directory containing the query
SESSIONDIR=$(pwd -P)
# Check paths
echo $DB
echo $SRCDIR
# To see the help
codeql database analyze -h
# Run a query \
codeql database analyze \
-v \
--ram=14000 \
-j12 \
--rerun \
--format=sarif-latest \
--output java-sqli.sarif \
-- \
$DB \
$SESSIONDIR/full-query.ql
# Examine the file in an editor
edit java-sqli.sarif
#+END_SRC
An example of using the sarif data is in the the jq script [[./sarif-summary.jq]].
When run against the sarif input via
#+BEGIN_SRC sh
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
#+END_SRC
it produces output in a form close to that of compiler error messages:
#+BEGIN_SRC text
query-id: message line
Path
...
Path
...
#+END_SRC
** (optional) Include query help in the SARIF file
Query results are available in several output formats using the cli. The
following produces the sarif format, a json-based result description. It
includes the markdown-formatted query help.
Requires [[file:~/local/codeql-workshop-sql-injection-java/src/README.org::*Build the codeql database][Build the codeql database]]
#+BEGIN_SRC sh
# The setup information from before
SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
# The directory containing the query
SESSIONDIR=$(pwd -P)
# Check paths
echo $DB
echo $SRCDIR
# Convert .qhelp to .md
codeql generate query-help \
--format=markdown \
-o full-query.md \
full-query.ql
# Run the query
codeql database analyze \
-v \
--ram=14000 \
-j12 \
--rerun \
--format=sarif-latest \
--output java-sqli.sarif \
--sarif-include-query-help=always \
-- \
$DB \
$SESSIONDIR/full-query.ql
# Check for a substring of the help to make sure it's included
grep -l 'solution' *
# Examine the file in an editor
edit java-sqli.sarif
#+END_SRC
An example of using the sarif data is in the the jq script [[./sarif-summary.jq]].
When run against the sarif input via
#+BEGIN_SRC sh
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
#+END_SRC
it produces output in a form close to that of compiler error messages:
#+BEGIN_SRC text
query-id: message line
Path
...
Path
...
#+END_SRC
** (optional) Write query help
Help is included from a markdown file. For a query =foo.ql= the file =foo.md=
is included in the SARIF output when the
: --sarif-include-query-help=always
flag is set.
To write such a help file, copy the template in [[./help-template.md]] and
customize the content.
Reference in New Issue View Git Blame Copy Permalink