CodeQL 升级V2.14踩坑

2023-08-09

升级前 v2.13.1
升级后 v2.14.1

升级前kafka jass ql 运行得好好的，升级后跑不出来。。。
好在以前遇到过这种问题，大概率又是CodeQL 升级的锅

0x01 猜测1: databae问题

database是v2.10.4版本codeql create的

用v2.13.1 版本codeql create，发现再codeql v2.14.1 ql run仍然不行，无结果，尝试用v2.14.1构建db

用v2.14.1构建，发现仍然失败

0x02 猜测2：语法变动

之前就有过partial flow 语法变动的经历，排查下

这里排查过程也踩了个坑，找了个DataFlow 的test ql抄抄发现不行

2.1 DataFlow VS TaintTracking

DataFlow 和TaintTracking 区别还是较大的

Normal data flow vs taint tracking
In the standard libraries, we make a distinction between ‘normal’ data flow and taint tracking. The normal data flow libraries are used to analyze the information flow in which data values are preserved at each step.

For example, if you are tracking an insecure object x (which might be some untrusted or potentially malicious data), a step in the program may ‘change’ its value. So, in a simple process such as y = x + 1, a normal data flow analysis will highlight the use of x, but not y. However, since y is derived from x, it is influenced by the untrusted or ‘tainted’ information, and therefore it is also tainted. Analyzing the flow of the taint from x to y is known as taint tracking.

In QL, taint tracking extends data flow analysis by including steps in which the data values are not necessarily preserved, but the potentially insecure object is still propagated. These flow steps are modeled in the taint-tracking library using predicates that hold if taint is propagated between nodes.

2.2 Final ql

最终的QL如下

/**
 * @kind path-problem
 */

import java
# 注意这里TaintFlow 为下面声明的module TaintFlow
import TaintFlow::PathGraph
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources


private class JavaxWSRSSource extends RemoteFlowSource {
  JavaxWSRSSource(){
      exists( 
          Method m, Annotation a | 
          m.getAParameter() = this.asParameter()
          and m.getAnAnnotation() = a
          and a.getType().hasQualifiedName("javax.ws.rs", "Path")
      )
  }
  override string getSourceType() { result = "javax.ws.rs" }
}

module TaintFlowConfig implements DataFlow::ConfigSig {
  int fieldFlowBranchLimit() { result = 100000 }

  predicate isSource(DataFlow::Node src) {
    // src instanceof RemoteFlowSource 
    src instanceof JavaxWSRSSource 
  }

  predicate isSink(DataFlow::Node sink) {
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%ChannelBuilders.java")
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%JaasContext.java")
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%JaasConfig.java")
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%AbstractLogin.java")
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%KerberosLogin.java")
    // and sink.asExpr().getEnclosingCallable().hasName("configure")
    // sink.asExpr().getLocation().getFile().getRelativePath().matches("%Login.java")
    // and sink.asExpr().getEnclosingCallable().hasName("login")
    // at last
    // 结论，不行
    exists( 
        ConstructorCall cc|
        cc.getConstructor().getDeclaringType().getASupertype*().hasQualifiedName("javax.security.auth.login", "LoginContext")
        and sink.asExpr() = cc.getArgument(3)
        // and this.asExpr() = cc
        and cc.getNumArgument() = 4
    )
  }

  predicate isAdditionalFlowStep (DataFlow::Node fromNode, DataFlow::Node toNode) {
    exists(ConstructorCall cc |
        cc.getAnArgument() = fromNode.asExpr()
        and cc = toNode.asExpr()
        and cc.getConstructor().getDeclaringType().hasQualifiedName("java.io", "StreamTokenizer")
    )
    or 
    exists(VarAccess va, ClassOrInterface ci |
        va.getQualifier().getType().getFile() = ci.getFile()
        and ci.getAField().hasName("sval")
        and ci.hasName("StreamTokenizer")
        and va.getVariable().hasName("sval")
        and va = toNode.asExpr()
        and va.getQualifier() = fromNode.asExpr()
    )
    or 
    exists(ConstructorCall cc |
        cc.getAnArgument() = fromNode.asExpr()
        and cc = toNode.asExpr()
        and cc.getConstructor().getDeclaringType().hasQualifiedName("javax.security.auth.login", "AppConfigurationEntry")
    )
    or
    exists(MethodAccess ma |  
        ma.getQualifier() = fromNode.asExpr()
        and ma = toNode.asExpr()
        and ma.getMethod().hasName("getOptions")
        and ma.getQualifier().getType().hasName("AppConfigurationEntry")
    )
  }

  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
    isSink(node)
    and (
        c instanceof DataFlow::FieldContent
        and c.(DataFlow::FieldContent).getField().getDeclaringType().getASourceSupertype().hasName("Configuration")
        or 
        c instanceof DataFlow::CollectionContent
    )
  }   
}

module TaintFlow = TaintTracking::Global<TaintFlowConfig>;

from TaintFlow::PathNode source, TaintFlow::PathNode sink
where TaintFlow::flowPath(source, sink)
select sink, source, sink, "$@", source, source.toString()

和partial flow 结构类似，看来是之后要用这个语法了

2.3 Tips

path-problem

需要遵循以下格式

1. @kind 表示是路径问题
/**
 * @kind path-problem
 */
2. 引入PathGraph，老版本是在DataFlow下，新版本为自定义的module
import DataFlow::PathGraph

3. 保持以下格式，4个字断
select source, source, sink, "$@", sink, sink.toString()
- 1. source，会显示为vs code message 左边
- 2. source，source点
- 3. sink，sink点
- 4. "$@", sink, sink.toString()，这个实际为一个，具体可以看codeql 基础知识，显示为vs code message 右边

0x03 小结

数据库基本兼容，v2.14.1的ql，用v2.10.4的db，也OK
DataFlow 和TaintTracking 区别比较大，可以参考[1]
升级codeql 一定要慎重，没有那么兼容

0x04 参考

[1] About data flow analysis