|
169 | 169 | and repetitive pattern, making it ideal for large-scale modeling. The CodeQL |
170 | 170 | model editor can be used to efficiently define sources and sinks for such |
171 | 171 | cases. A detailed explanation is provided |
| 172 | + OK |
172 | 173 | in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Modeling Jedis as a Dependency in Model Editor][Modeling Jedis as a Dependency in Model Editor]], while validation of |
| 174 | + OK |
173 | 175 | the modeled sink is discussed in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Verifying the Modeled Sink][Verifying the Modeled Sink]]. |
174 | 176 | Finally, the query-level usage of these models can be seen |
| 177 | + OK |
175 | 178 | in [[file:~/work-gh/codeql-lab/codeql-jedis-java/README.org::*Identify usage of injection-related models in existing queries][Identify usage of injection-related models in existing queries]]. |
176 | 179 |
|
177 | 180 | *** Customizations via Model Editor: Single-function case (Java SQLite sample) |
|
184 | 187 | [[./.github/codeql/extensions/sqlite-db/codeql-pack.yml]], and the extension data |
185 | 188 | is provided in |
186 | 189 | [[./.github/codeql/extensions/sqlite-db/models/sqlite.model.yml]]. A detailed |
| 190 | + *OK* |
187 | 191 | explanation is available in [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]]. |
188 | 192 |
|
189 | 193 | To support this, we explain how the "models-as-data" system works |
|
195 | 199 |
|
196 | 200 | *** Review: SQLite Injection Workshop (C) |
197 | 201 | This is the C version of the injection workshop, based on |
198 | | - [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]]. It |
| 202 | + [[./codeql-dataflow-sql-injection-c/add-user.c]]. It |
199 | 203 | serves as the basis for both the "models-as-data" manual modeling and the |
200 | | - extension via Customizations.qll. |
| 204 | + extension via =Customizations.qll=. |
201 | 205 |
|
202 | | -*** Use models-as-data QL code directly (no graphical editor) |
203 | | - This section focuses on applying the models-as-data system without using the |
| 206 | +*** (PARTIAL) Use models-as-data QL code directly (no graphical editor) |
| 207 | + This section focuses on using the models-as-data system *without* the |
204 | 208 | graphical model editor. While model definition files and supporting data |
205 | | - already exist, we manually author YAML files for new models. This approach is |
206 | | - especially relevant for C, where graphical tooling is limited or nonexistent. |
| 209 | + already exist, we manually write YAML files to add or override flow |
| 210 | + behavior. This approach is especially relevant for C, where graphical tooling |
| 211 | + is limited or nonexistent. |
207 | 212 |
|
208 | | - As reinforcement, we use the C version of the SQLite injection workshop: |
209 | | - - The code sample is at [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]]. |
210 | | - - The accompanying query is [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/SqlInjection.ql]]. |
| 213 | + As reinforcement, we reuse the C version of the SQLite injection workshop: |
| 214 | + - The code sample is at |
| 215 | + [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/add-user.c]]. |
| 216 | + - The accompanying query is |
| 217 | + [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/SqlInjection.ql]]. |
211 | 218 |
|
212 | | - We extend this example by modeling key functions manually: |
213 | | - - Add a source model for =count = read(STDIN_FILENO, buf, BUFSIZE);= |
214 | | - - Add a sink model for =rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);= |
| 219 | + For structural reference, see the Java version’s documentation (not the editor |
| 220 | + interface): [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]]. There is no separate |
| 221 | + C-specific walkthrough because the YAML structure and logic are nearly |
| 222 | + identical. |
215 | 223 |
|
216 | | - For reference, see the Java version’s structure (but not the graphical |
217 | | - editor): [[file:~/work-gh/codeql-lab/codeql-sqlite-java/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]], and the corresponding |
218 | | - C-specific walkthrough: [[file:~/work-gh/codeql-lab/codeql-dataflow-sql-injection-c/README.org::*Using sqlite to illustrate models-as-data][Using sqlite to illustrate models-as-data]]. |
| 224 | + For workshop use, we extend the example by modeling key functions manually: |
| 225 | + - Add a source model for: =count = read(STDIN_FILENO, buf, BUFSIZE);= |
| 226 | + - Add a sink model for: =rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);= |
219 | 227 |
|
220 | 228 | We demonstrate how to define YAML-based models for standard functions like |
221 | | - =read()= and verify their effect using the out-of-the-box query |
222 | | - [[./ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql][SqlTainted.ql]]. As an additional example, we introduce the higher-level, |
223 | | - redundant =char* get_user_info()= as a custom source—even though it internally |
| 229 | + =read()= and verify their effect using the out-of-the-box query: |
| 230 | + [[./ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql][SqlTainted.ql]]. |
| 231 | + |
| 232 | + As an additional teaching case, we introduce the higher-level, redundant |
| 233 | + function =char* get_user_info()= as a custom source—even though it internally |
224 | 234 | calls a function already modeled as a source—to illustrate how user-defined |
225 | | - extensions propagate through the query logic. |
226 | | - |
227 | | -*** Extending Queries with Customizations.qll for C |
228 | | - The manual YAML modeling approach from the previous section works well for |
229 | | - isolated cases. However, to integrate seamlessly with idiomatic CodeQL |
230 | | - queries, we show how to extend the standard QL libraries via |
231 | | - =Customizations.qll= |
232 | | - |
233 | | - While most CodeQL-supported languages provide out-of-the-box support for |
234 | | - =Customizations.qll=, C and C++ do not include this by default. However, it is |
235 | | - possible to enable such support by building a custom CodeQL bundle. This can |
236 | | - be done using the CLI tool at |
237 | | - https://github.com/advanced-security/codeql-bundle. Since the tool functions |
238 | | - largely as a black box, we provide a more detailed illustration of the |
239 | | - underlying steps. |
240 | | - |
241 | | - A working demonstration is available in |
242 | | - [[./codeql-dataflow-sql-injection-c/README.org]]. In languages like Java, |
243 | | - =Customizations.qll= is included automatically via imports from |
244 | | - =<language>.qll=, such as [[./ql/java/ql/lib/java.qll][java.qll]] importing [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which defines |
245 | | - user-extensible predicates for flow modeling. |
246 | | - |
247 | | - For C/C++, the process requires explicit modification: |
248 | | - 1. Modify =ql/cpp/ql/lib/cpp.qll= to import =Customizations.qll=. |
249 | | - 2. Create and populate =ql/cpp/ql/lib/Customizations.qll= with custom sources/sinks or extensions. |
250 | | - 3. Rebuild the CodeQL bundle to include these changes. |
251 | | - |
252 | | - This customization enables consistent user-defined flow modeling across |
253 | | - languages, making it possible to reuse modeling patterns from Java or Python |
254 | | - in C/C++ contexts. |
| 235 | + extensions affect propagation logic. |
| 236 | + |
| 237 | +*** (PARTIAL) Extending Queries with Customizations.qll for C |
| 238 | + The manual YAML modeling approach described earlier works well for small or |
| 239 | + isolated cases. However, to fully integrate with idiomatic CodeQL |
| 240 | + queries—especially for large-scale or reusable analysis—you will want to |
| 241 | + extend the language’s internal dataflow configuration using |
| 242 | + =Customizations.qll=. |
| 243 | + |
| 244 | + Most CodeQL-supported languages (e.g., Java, Python) include out-of-the-box |
| 245 | + support for =Customizations.qll=. In these cases, the primary language module |
| 246 | + (e.g., [[./ql/java/ql/lib/java.qll][java.qll]]) automatically imports [[./ql/java/ql/lib/Customizations.qll][Customizations.qll]], which defines |
| 247 | + extension points for user-defined sources, sinks, and flow steps. |
| 248 | + |
| 249 | + Unfortunately, C and C++ do not include this mechanism by default. Enabling it |
| 250 | + requires modifying the language pack and rebuilding the CodeQL bundle. |
| 251 | + |
| 252 | + This section is *partially complete*: we illustrate the required QL changes, |
| 253 | + but do *not yet include* the full bundling process. |
| 254 | + |
| 255 | + To add Customizations support for C/C++, make the following changes: |
| 256 | + |
| 257 | + 1. Modify =ql/cpp/ql/lib/cpp.qll= to import your =Customizations.qll= module. |
| 258 | + 2. Create and populate =ql/cpp/ql/lib/Customizations.qll= with definitions for |
| 259 | + new sources, sinks, or flow steps. |
| 260 | + 3. For full deployment: Rebuild the CodeQL bundle to reflect these changes. |
| 261 | + |
| 262 | + The rebuilt bundle can then be used in VS Code or the CLI, enabling you to |
| 263 | + model C/C++ flows in a way that mirrors Java and other languages. Once this |
| 264 | + bundling step is automated, custom C/C++ modeling will follow the same |
| 265 | + developer workflow as any other language. |
| 266 | + |
| 267 | + 4. For workshops: The modifications have immediate effect |
255 | 268 |
|
256 | 269 | ** TODO CodeQL Bundling |
257 | 270 | This section will provide a detailed walkthrough of the CodeQL bundling process |
|
0 commit comments