devbox
菜鸟追梦旅行
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

codeql使用指南

作者:菜鸟追梦旅行 | 2024-04-30 18:46:38

codeql

目录

简介

hello world

1、安装codeql-cli 和 ql库

2、创建源码数据库

3、编写hello world

4、执行查询

进阶

1、扫描结果快速定位到源码

2、用作白盒扫描器

3、开发自己的查询代码

4、分析GitHub上的开源项目

​5、语法规则学习

codeql安全能力

java

实战

宽泛的跨域配置

简介

codeql是一门类似SQL的查询语言,通过对项目源码(C/C++、C#、golang、java、JavaScript、typescript、python)进行完整编译,并在此过程中把项目源码文件的所有相关信息(调用关系、语法语义、语法树)存在数据库中,然后编写代码查询该数据库来发现安全漏洞(硬编码/XSS等)

 

hello world

1、安装codeql-cli 和 ql库

codeql-cli是执行文件,ql库是已经写好的可以查询安全漏洞的代码

下载地址:

codeql-cli:https://github.com/github/codeql-cli-binaries/releases

ql库:https://github.com/github/codeql/releases

 

两个下载的zip文件务必解压在同一目录(codeql-home)下(因为codeql-cli把同层目录作为查找路径),并将codeql-cli放在系统目录中(Linux添加export PATH=$PATH:/home/f/.local/bin:/mnt/c/Users/xx/codeql-home/codeql-cli到.bashrc文件末尾)

 

2、创建源码数据库

首先clone项目源码:git clone https://github.com/XiaoMi/galaxy-sdk-java.git

然后创建源码数据库:codeql database create source_database_name  --language=java

 

3、编写hello world

下载的ql库是codeql代码,有包结构/目录结构要求(qlpack.yml定义一个package),才能正常编译、执行。

 

java语言的漏洞查询代码目录在qllib/java/ql/src/Security/CWE,这里新建test.ql(qllib/java/ql/src/Security/test/test.ql)查询源码,内容:

  1. /**
  2.  
  3.  * @name sectest2
  4.  
  5.  * @description Writing sectest33
  6.  
  7.  * @kind problem
  8.  
  9.  * @problem.severity error
  10.  
  11.  * @precision high
  12.  
  13.  * @id java/sectest
  14.  
  15.  * @tags security
  16.  
  17.  *       external/cwe/cwe-113
  18.  
  19.  */
  20.  
  21. import java
  22.  
  23. from Parameter p
  24.  
  25. where not exists(p.getAnAccess())
  26.  
  27. select p, "no used param"

test.ql用来查询函数参数未使用的函数

 

4、执行查询

执行了查询代码之后,输出的内容即有漏洞的项目源代码

 

命令行执行:codeql database analyze source_database_name qllib/java/ql/src/Security/test/test.ql --format=csv --output=java-results.csv

 

查询发现的漏洞会输出到java-results.csv文件

 

 

进阶

1、扫描结果快速定位到源码

命令行方式执行查询,多少有些不便,使用vscode codeql插件则方便的多

安装完插件,需要在插件中指定待查询的源码库(第2步产生的文件夹),

然后在vscode中打开test.ql,右键运行查询,结果会自动打开

2、用作白盒扫描器

ql库集成了许多常见的安全漏洞(参考:https://codeql.github.com/codeql-query-help/java/),可以拿来扫描项目源码

 

codeql analyze命令可以执行单个ql文件,目录下所有ql文件,和查询suite(.qls)

 

白盒扫描使用如下命令(执行所有漏洞类查询)

codeql database analyze source_database_name qllib/java/ql/src/codeql-suites/java-security-extended.qls --format=csv --output=java-results.csv

 

3、开发自己的查询代码

ql入门:https://codeql.github.com/docs/writing-codeql-queries/introduction-to-ql/

各语言文档:https://codeql.github.com/docs/codeql-language-guides/abstract-syntax-tree-classes-for-working-with-java-programs/

 

目前codeql文档较少,只能照已有的规则进行模仿

qll文件是库文件,有很多函数可以直接import使用;qhelp是帮助说明文件;

 

ql文件(qllib/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql)如下:

注释部分是meta信息(都有重要作用,比如tags可以用来归属规则suites),

import同其他编程语言类似,可以导入现成的函数使用(qllib/java/ql/src/semmle/code/java)

from用来定义变量,where是判断规则,select是输出

  1. /**
  2.  
  3.  * @name Failure to use secure cookies
  4.  
  5.  * @description Insecure cookies may be sent in cleartext, which makes them vulnerable to
  6.  
  7.  *              interception.
  8.  
  9.  * @kind problem
  10.  
  11.  * @problem.severity error
  12.  
  13.  * @precision high
  14.  
  15.  * @id java/insecure-cookie
  16.  
  17.  * @tags security
  18.  
  19.  *       external/cwe/cwe-614
  20.  
  21.  */
  22.  
  23. import java
  24.  
  25. import semmle.code.java.frameworks.Servlets
  26.  
  27.  
  28.  
  29. from MethodAccess add
  30.  
  31. where
  32.  
  33.   add.getMethod() instanceof ResponseAddCookieMethod and
  34.  
  35.   not exists(Variable cookie, MethodAccess m |
  36.  
  37.     add.getArgument(0) = cookie.getAnAccess() and
  38.  
  39.     m.getMethod().getName() = "setSecure" and
  40.  
  41.     m.getArgument(0).(BooleanLiteral).getBooleanValue() = true and
  42.  
  43.     m.getQualifier() = cookie.getAnAccess()
  44.  
  45.   )
  46.  
  47. select add, "Cookie is added to response without the 'secure' flag being set."

 

有两类查询alert和path,从ql文件中的@kind problem/path-problem分辨,alert查询select返回两个字段(qllib/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql,select element, string),path查询(污点查找)select返回4个字段(qllib/java/ql/src/Security/CWE/CWE-079/XSS.ql,select element, source, sink, string),path查询带有调用链

 

4、分析GitHub上的开源项目

直接搜索即可

https://lgtm.com/search?q=xiaomi

 

https://lgtm.com/projects/g/XiaoMi/minos/?mode=list&result_filter=0e00f5fa7b93849767c1677dc71d9400f85c6a54

该开源项目存在xss漏洞:https://github.com/XiaoMi/minos/issues/43

 

 

​5、语法规则学习

①定义类/方法

  1. /**
  2.  * A class that has `javax.servlet.Servlet` as an ancestor.
  3.  */
  4. class ServletClass extends Class {
  5.   ServletClass() { getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") }
  6. }

方法

  1. /**
  2.  * The interface `javax.servlet.http.HttpServletResponse`.
  3.  */
  4. class HttpServletResponse extends RefType {
  5.   HttpServletResponse() { hasQualifiedName("javax.servlet.http", "HttpServletResponse") }
  6. }
  7.  
  8. /**
  9.  * The method `addCookie(Cookie)` declared in `javax.servlet.http.HttpServletResponse`.
  10.  */
  11. class ResponseAddCookieMethod extends Method {
  12.   ResponseAddCookieMethod() {
  13.     getDeclaringType() instanceof HttpServletResponse and
  14.     hasName("addCookie")
  15.   }
  16. }
  17.  
  18. //========================
  19.  
  20. /** The class `java.lang.String`. */
  21. class TypeString extends Class {
  22.   TypeString() { this.hasQualifiedName("java.lang", "String") }
  23. }
  24. /**
  25.  * The method `getHeader(String)` declared in `javax.servlet.http.HttpServletRequest`.
  26.  */
  27. library class HttpServletRequestGetHeaderMethod extends Method {
  28.   HttpServletRequestGetHeaderMethod() {
  29.     getDeclaringType() instanceof HttpServletRequest and
  30.     hasName("getHeader") and
  31.     getNumberOfParameters() = 1 and
  32.     getParameter(0).getType() instanceof TypeString
  33.   }
  34. }

②查询所有外部输入

  1. import java
  2.  
  3. import semmle.code.java.dataflow.FlowSources
  4.  
  5.  
  6.  
  7. from RemoteFlowSource rls
  8.  
  9. select rls, "t:"+rls.getSourceType()

③获取所有外部依赖

  1. /**
  2.  
  3.  * @name dependency version
  4.  
  5.  * @description version with vulnerabilities
  6.  
  7.  * @kind problem
  8.  
  9.  * @problem.severity error
  10.  
  11.  * @precision high
  12.  
  13.  * @id java/dependency-version
  14.  
  15.  * @tags security
  16.  
  17.  *       external/cwe/cwe-113
  18.  
  19.  */
  20.  
  21. import java
  22.  
  23. import semmle.code.xml.MavenPom
  24.  
  25. predicate getCompileDependency(PomDependency dependency) {
  26.  
  27.   dependency.getScope() = "compile" or dependency.getScope() = "runtime"
  28.  
  29.   }
  30.  
  31.   
  32.  
  33.   from PomDependency dependency
  34.  
  35.   where  getCompileDependency(dependency)
  36.  
  37.   select dependency,
  38.  
  39.     "dependency: " +
  40.  
  41.     dependency.getShortCoordinate()+":"+dependency.getVersionString()

④获取某方法的所有调用

  1. /**
  2.  
  3.  * The class `com.xiaomi.miui.lockServer.utils. HttpUtils `.
  4.  
  5.  */
  6.  
  7. class TypeAbstractRequestMatcherRegistry extends Class {
  8.  
  9.     TypeAbstractRequestMatcherRegistry() {
  10.  
  11.       this.hasQualifiedName("com.xiaomi.miui.lockServer.utils",
  12.  
  13.         "HttpUtils")
  14.  
  15.     }
  16.  
  17.   }
  18.  
  19. /** A call to `HttpUtils. getRemoteUserIP ` method. */
  20.  
  21. class AnyRequestCall extends MethodAccess {
  22.  
  23.     AnyRequestCall() {
  24.  
  25.       getMethod().hasName("getRemoteUserIP") and
  26.  
  27.       getMethod().getDeclaringType() instanceof TypeAbstractRequestMatcherRegistry
  28.  
  29.     }
  30.  
  31.   }
  32.  
  33.  
  34.  
  35. from Call c, Callable callee
  36.  
  37. where callee = c.getCallee() and callee.getAReference() instanceof AnyRequestCall
  38.  
  39. select c, "t:"+c.getQualifier()+" "+c.getCallee()
  40.  
  41.  
  42.  
  43. //另外一种简便方式
  44.  
  45. from Call c
  46.  
  47. where c.getQualifier().toString() = "httpUtils" and c.getCallee().toString() = "getRemoteUserIP"
  48.  
  49. select c, "t:"+c.getQualifier()+c.getCallee()
  50.

⑤获取某方法的调用链

  1. /**
  3.  * @name sectest2
  5.  * @description Writing sectest33
  7.  * @kind path-problem
  9.  * @problem.severity error
  11.  * @precision high
  13.  * @id java/sectest
  15.  * @tags security
  17.  *       external/cwe/cwe-113
  19.  */
  20.  
  21. import java
  22.  
  23. import semmle.code.java.dataflow.FlowSources
  24.  
  25. import DataFlow::PathGraph
  26.  
  27.  
  28.  
  29. class GetOrderIdByIMEIMethod extends Method {
  30.  
  31.   GetOrderIdByIMEIMethod() {
  32.  
  33.     getDeclaringType().hasQualifiedName("com.xiaomi.miui.lockServer.utils", "HttpUtils") and
  34.  
  35.     hasName("getRemoteUserIP")
  36.  
  37.   }
  38.  
  39. }
  40.  
  41. //ql自动调用实现类中的方法
  42.  
  43. abstract class HeaderSplittingSink extends DataFlow::Node { }
  44.  
  45. //sink为目标函数的参数
  46.  
  47. class OrderHeaderSplittingSink extends HeaderSplittingSink{
  48.  
  49.   OrderHeaderSplittingSink(){
  50.  
  51.     exists(GetOrderIdByIMEIMethod m, MethodAccess ma |
  52.  
  53.       ma.getMethod() = m and
  54.  
  55.       this.asExpr() = ma.getArgument(0)
  56.  
  57.     )
  58.  
  59.   }
  60.  
  61. }
  62.  
  63. class ResponseSplittingConfig extends TaintTracking::Configuration {
  64.  
  65.   ResponseSplittingConfig() { this = "ResponseSplittingConfig" }
  66.  
  67.   override predicate isSource(DataFlow::Node source) {
  68.  
  69.     //source instanceof RemoteFlowSource
  70.  
  71.     exists(source.asExpr())
  72.  
  73.   }
  74.  
  75.   override predicate isSink(DataFlow::Node sink) { sink instanceof HeaderSplittingSink }
  76.  
  77. }
  78.  
  79. from DataFlow::PathNode source, DataFlow::PathNode sink, ResponseSplittingConfig conf
  80.  
  81. where conf.hasFlowPath(source, sink)
  82.  
  83. select sink.getNode(), source, sink, "vulnerability due to this $@.",
  84.  
  85.   source.getNode(), "user-provided value"
  86.

⑥判断参数值

MethodAccess ma | ma.getArgument(1).(StringLiteral).getValue() = "Nonex"

⑦嵌套类定义

  1. class JaxRsResponseBuilder2 extends Class {
  2.  
  3.   JaxRsResponseBuilder2() { this.hasQualifiedName("javax.ws.rs.core", "Response$ResponseBuilder") }
  4.  
  5. }

codeql安全能力

java

1、zip slip(zip解压覆盖任意文件)

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql

2、命令注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql

3、cookie安全

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql

4、XSS

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-079/XSS.ql

5、依赖漏洞

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

6、反序列化

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql

7、http头注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql

8、url跳转

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql

9、ldap注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql

10、sql注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql

11、file权限&目录注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql

12、xml注入

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXE.ql

13、SSL校验

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql

14、弱加密

https://github.com/github/codeql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql

15、随机数种子可预测

https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql

实战

宽泛的跨域配置

查看结果 https://lgtm.com/query/7135375648193136280/

代码:

  1. /**
  2.  * @name access-control-allow-origin
  3.  * @description set access-control-allow-origin with *
  4.  * @kind problem
  5.  * @problem.severity error
  6.  * @precision high
  7.  * @id java/corserror
  8.  * @tags security
  9.  *       external/cwe/cwe-113
  10.  */
  12. import java
  13. import semmle.code.java.dataflow.FlowSources
  14. class JaxRsResponseBuilder2 extends Class {
  15.   JaxRsResponseBuilder2() { this.hasQualifiedName("javax.ws.rs.core", "Response$ResponseBuilder") }
  16. }
  17. class JaxRsResponseBuilderMethod extends Method {
  18.   JaxRsResponseBuilderMethod() {
  19.     getDeclaringType() instanceof JaxRsResponseBuilder2 and
  20.     hasName("header")
  21.   }
  22. }
  23. predicate broadCors(MethodAccess ma){
  24.   exists(JaxRsResponseBuilderMethod m|
  25.       ma.getMethod() = m and ma.getArgument(0).(StringLiteral).getValue().toLowerCase() = "access-control-allow-origin" and ma.getArgument(1).(StringLiteral).getValue() = "*"
  26.     )
  27.     
  28. }
  29. predicate broadCors2(MethodAccess ma){
  30.   exists(ResponseSetHeaderMethod m|
  31.       ma.getMethod() = m and ma.getArgument(0).(StringLiteral).getValue().toLowerCase() = "access-control-allow-origin" and ma.getArgument(1).(StringLiteral).getValue() = "*"
  32.     )
  33.     
  34. }
  35. predicate broadCors3(MethodAccess ma){
  36.   exists(ResponseAddHeaderMethod m|
  37.       ma.getMethod() = m and ma.getArgument(0).(StringLiteral).getValue().toLowerCase() = "access-control-allow-origin" and ma.getArgument(1).(StringLiteral).getValue() = "*"
  38.     )
  39.     
  40. }
  41. from MethodAccess ma
  42. where broadCors(ma) or broadCors2(ma) or broadCors3(ma)
  43. select ma, "CORS vulnerability due to this"+" "+ma.getCaller()

 

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/菜鸟追梦旅行/article/detail/514694
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号