Add challenges part 3

Author: sylwia-budzynska

3/1/instructions.md

@@ -0,0 +1,3 @@
+You will need to set up CodeQL using one of the methods presented in [challenge 2](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md) from CodeQL zero to hero part 2 to run the queries. Remember also to download and [select a CodeQL database](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database) - it can be the GitHubSecurityLab/codeql-zero-to-hero database, but you may also choose another project.
+
+Run the above query to find all method calls that are called ‘execute’ and come from the `django.db` library.

3/1/query.ql

@@ -0,0 +1,10 @@
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node =
+API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+and
+node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
+
+select node

3/2/instructions.md

@@ -0,0 +1 @@
+Now you know how to query for calls to functions from specific libraries. If os.system executes input coming from a user, it could lead to a command injection. Write a query to find calls to os.system and run it on the database you selected in the previous challenge.

3/2/query.ql

@@ -0,0 +1,7 @@
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node = API::moduleImport("os").getMember("system").getACall()
+and node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
+select node

3/3/instructions.md

@@ -0,0 +1 @@
+Flask is a popular Python web framework. Frameworks very often introduce potential sources for untrusted data, [Flask request](https://flask.palletsprojects.com/en/3.0.x/api/#incoming-request-data) being one of them. Write a query to find Flask requests.

3/3/query.ql

@@ -0,0 +1,4 @@
+import python
+import semmle.python.ApiGraphs
+
+select API::moduleImport("flask").getMember("request").asSource()

3/4/instructions.md

@@ -0,0 +1 @@
+Run the query with `getAQlClass` predicate

3/4/query.ql

@@ -0,0 +1,6 @@
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+select node, node.getAQlClass()

3/5/instructions.md

@@ -0,0 +1 @@
+Run the local data flow query to find execute calls that do not take a string literal

3/5/query.ql

@@ -0,0 +1,21 @@
+import python
+import semmle.python.ApiGraphs
+
+class ExecuteCall extends DataFlow::CallCfgNode {
+        ExecuteCall() {
+        this = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+        }
+}
+
+predicate executeNotLiteral(DataFlow::CallCfgNode call) {
+        exists(DataFlow::ExprNode expr |
+                call instanceof ExecuteCall
+        		and DataFlow::localFlow(expr, call.getArg(0))
+        		and expr instanceof DataFlow::LocalSourceNode
+        		and not expr.getNode().isLiteral()
+        )
+}
+
+from DataFlow::CallCfgNode call
+where executeNotLiteral(call)
+select call