Table of Contents
1. SQL injection example
This directory contains the codeql session snapshots as well as the full query ./full-query-old-style.ql
The rest of this README contains a description of the query's development.
1.1. Develop the query bottom-up
Identify the source part of the
System.console().readLine();
expression, the
bufargument. Start from afrom..where..select, then convert to a predicate.Identify the sink part of the
conn.createStatement().executeUpdate(query);
expression, the
queryargument. Again start fromfrom..where..select, then convert to a predicate.- Fill in the taintflow configuration boilerplate.
The final query is in ./full-query.ql
1.2. (optional) Review of the results via SARIF file
Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description.
Requires [BROKEN LINK: No match for fuzzy expression: *Build the codeql database]
# The setup information from before SRCDIR=$HOME/local/codeql-workshop-sql-injection-java DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD) # The directory containing the query SESSIONDIR=$(pwd -P) # Check paths echo $DB echo $SRCDIR # To see the help codeql database analyze -h # Run a query \ codeql database analyze \ -v \ --ram=14000 \ -j12 \ --rerun \ --format=sarif-latest \ --output java-sqli.sarif \ -- \ $DB \ $SESSIONDIR/full-query.ql # Examine the file in an editor edit java-sqli.sarif
An example of using the sarif data is in the the jq script ./sarif-summary.jq. When run against the sarif input via
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
it produces output in a form close to that of compiler error messages:
query-id: message line
Path
...
Path
...
1.3. (optional) Include query help in the SARIF file
Query results are available in several output formats using the cli. The following produces the sarif format, a json-based result description. It includes the markdown-formatted query help.
Requires [BROKEN LINK: No match for fuzzy expression: *Build the codeql database]
# The setup information from before SRCDIR=$HOME/local/codeql-workshop-sql-injection-java DB=$SRCDIR/java-sqli-$(cd $SRCDIR && git rev-parse --short HEAD) # The directory containing the query SESSIONDIR=$(pwd -P) # Check paths echo $DB echo $SRCDIR # Convert .qhelp to .md codeql generate query-help \ --format=markdown \ -o full-query.md \ full-query.ql # Run the query codeql database analyze \ -v \ --ram=14000 \ -j12 \ --rerun \ --format=sarif-latest \ --output java-sqli.sarif \ --sarif-include-query-help=always \ -- \ $DB \ $SESSIONDIR/full-query.ql # Check for a substring of the help to make sure it's included grep -l 'solution' * # Examine the file in an editor edit java-sqli.sarif
An example of using the sarif data is in the the jq script ./sarif-summary.jq. When run against the sarif input via
jq --raw-output --join-output -f sarif-summary.jq < java-sqli.sarif > java-sqli.txt
it produces output in a form close to that of compiler error messages:
query-id: message line
Path
...
Path
...
1.4. (optional) Write query help
Help is included from a markdown file. For a query foo.ql the file foo.md
is included in the SARIF output when the
--sarif-include-query-help=always
flag is set.
To write such a help file, copy the template in ./help-template.md and customize the content.