SQL injection example
This directory contains the codeql session snapshots as well as the full query ./full-query-old-style.ql
The rest of this README contains a description of the query's development.
Develop the query bottom-up
-
Identify the source part of the
System.console().readLine();
expression, the
bufargument. Start from afrom..where..select, then convert to a predicate. -
Identify the sink part of the
conn.createStatement().executeUpdate(query);
expression, the
queryargument. Again start fromfrom..where..select, then convert to a predicate. - Fill in the taintflow configuration boilerplate.
The final query is in ./full-query.ql
(optional) Review of the results via SARIF file
Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description.
Requires Build the codeql database
# The setup information from before
SRCDIR=$HOME/local/codeql-workshop-sql-injection-java
DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD)
# The directory containing the query
SESSIONDIR=$(pwd -P)
# Check paths
echo $DB
echo $SRCDIR
# To see the help
codeql database analyze -h
# Run a query \
codeql database analyze \
-v \
--ram=14000 \
-j12 \
--rerun \
--format=sarif-latest \
--output java-sqli.sarif \
--sarif-include-query-help=always \
-- \
$DB \
$SESSIONDIR/full-query.ql
# Examine the file in an editor
edit java-sqli.sarifAn example of using the sarif data is in the the jq script ./sarif-summary.jq. When run against the sarif input via
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txtit produces output in a form close to that of compiler error messages:
query-id: message line
Path
...
Path
...