Merge pull request #7 from GitHubSecurityLab/part3

sylwia-budzynska · web-flow · commit eabd9439de9a · 2024-04-29T00:37:33.000+02:00
Add challenges to part 3
diff --git a/2/challenge-1/sql-injection.py b/2/challenge-1/sql-injection.py
@@ -15,4 +15,8 @@ def show_user(request, username):
         # BAD -- Manually quoting placeholder (%s)
         cursor.execute("SELECT * FROM users WHERE username = '%s'" % username)
         user = cursor.fetchone()
+
+        # GOOD - string literal
+        cursor.execute("SELECT * FROM users WHERE username = 'johndoe'")
+        user = cursor.fetchone()
 urlpatterns = [url(r'^users/(?P<username>[^/]+)$', show_user)]
diff --git a/3/1/instructions.md b/3/1/instructions.md
@@ -0,0 +1,7 @@
+You will need to set up CodeQL using one of the methods presented in [challenge 2](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md) from CodeQL zero to hero part 2 to run the queries. Remember also to download and [select a CodeQL database](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database) - it can be the GitHubSecurityLab/codeql-zero-to-hero database, but you may also choose another project.
+
+Run the query in this challenge to find all method calls that are called ‘execute’ and come from the `django.db` library.
+
+If the path is not displaying properly, you may need to change the view to ‘alerts’.
+
+<img src=../../images/alert-view.png>
diff --git a/3/1/query.ql b/3/1/query.ql
@@ -0,0 +1,15 @@
+/**
+ * @id codeql-zero-to-hero/3-1
+ * @severity error
+ * @kind problem
+ */
+
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node =
+API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+and
+node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
+select node, "Call to django.db execute"
diff --git a/3/10/instructions.md b/3/10/instructions.md
@@ -0,0 +1,2 @@
+Run the CWE-20 Untrusted APIs query on a repo of your choice. For Python in the VS Code CodeQL Starter Workspace, it is located in `vscode-codeql-starter/ql/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql`.
+Try to choose a new project, download its database from GitHub (see [setup](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#option-b-local-installation)) and run this query on it.
diff --git a/3/11/instructions.md b/3/11/instructions.md
@@ -0,0 +1,2 @@
+Set up MRVA using instructions [here](https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/#controller-repository). Select top 10 repositories in the CodeQL extension tab. Choose one of the prewritten queries in your favorite language, right-click in the query file, and select CodeQL: Run Variant Analysis to start variant analysis. If you don’t find anything using that query, it’s likely because the project is already secured against that vulnerability. If you prefer, run one of the bigger lists with 100 or 1000 repositories.
+Caution: if you do find true positive vulnerabilities, make sure to verify them first and then report them using the coordinated disclosure process. See our [guide](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/) for reporting vulnerabilities to open source.
diff --git a/3/2/instructions.md b/3/2/instructions.md
@@ -0,0 +1,5 @@
+Now you know how to query for calls to functions from specific libraries.
+
+If `os.system` executes input coming from a user, it could lead to a command injection. Write a query to find calls to `os.system` and run it on the database you selected in the previous challenge.
+
+See solution in this folder.
diff --git a/3/2/query.ql b/3/2/query.ql
@@ -0,0 +1,13 @@
+/**
+ * @id codeql-zero-to-hero/3-2
+ * @severity error
+ * @kind problem
+ */
+
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node = API::moduleImport("os").getMember("system").getACall()
+and node.getLocation().getFile().getRelativePath().regexpMatch("2/challenge-1/.*")
+select node, "Call to os.system"
diff --git a/3/3/instructions.md b/3/3/instructions.md
@@ -0,0 +1,9 @@
+Flask is a popular Python web framework. Frameworks very often introduce potential sources for untrusted data, [Flask request](https://flask.palletsprojects.com/en/3.0.x/api/#incoming-request-data) being one of them. For example, a source of untrusted data could be:
+
+```
+username = request.args.get("username")
+```
+
+Write a query to find `request.args`
+
+See solution in this folder.
diff --git a/3/3/query.ql b/3/3/query.ql
@@ -0,0 +1,14 @@
+/**
+ * @id codeql-zero-to-hero/3-3
+ * @severity error
+ * @kind problem
+ */
+
+import python
+import semmle.python.ApiGraphs
+
+select API::moduleImport("flask").getMember("request").getMember("args").asSource(), "Flask request.args source"
+
+// Note that you can also use a wildcard to query for any method of the request object, for example:
+
+// select API::moduleImport("flask").getMember("request").getMember(_).asSource()
diff --git a/3/4/instructions.md b/3/4/instructions.md
@@ -0,0 +1,3 @@
+Run a query with `getAQlClass` predicate.
+
+See example in this folder.
diff --git a/3/4/query.ql b/3/4/query.ql
@@ -0,0 +1,11 @@
+/**
+ * @id codeql-zero-to-hero/3-4
+ * @severity error
+ * @kind problem
+ */
+import python
+import semmle.python.ApiGraphs
+
+from API::CallNode node
+where node = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+select node, "The node has type " + node.getAQlClass()
diff --git a/3/5/instructions.md b/3/5/instructions.md
@@ -0,0 +1,3 @@
+Run the local data flow query to find execute calls that do not take a string literal.
+
+See the query in this folder.
diff --git a/3/5/query.ql b/3/5/query.ql
@@ -0,0 +1,26 @@
+/**
+ * @id codeql-zero-to-hero/3-5
+ * @severity error
+ * @kind problem
+ */
+import python
+import semmle.python.ApiGraphs
+
+class ExecuteCall extends DataFlow::CallCfgNode {
+        ExecuteCall() {
+        this = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+        }
+}
+
+predicate executeNotLiteral(DataFlow::CallCfgNode call) {
+        exists(DataFlow::ExprNode expr |
+                call instanceof ExecuteCall
+        		and DataFlow::localFlow(expr, call.getArg(0))
+        		and expr instanceof DataFlow::LocalSourceNode
+        		and not expr.getNode().isLiteral()
+        )
+}
+
+from DataFlow::CallCfgNode call
+where executeNotLiteral(call)
+select call, "Call to django.db execute with an argument that is not a literal"
diff --git a/3/6/instructions.md b/3/6/instructions.md
@@ -0,0 +1,5 @@
+Run the taint tracking query to find flows from a Flask request to a django.db’s ‘execute’ sink.
+
+See the query in this folder. If the path is not displaying properly, you may need to change the view to ‘alerts’.
+
+<img src=../../images/alert-view.png>
diff --git a/3/6/query.ql b/3/6/query.ql
@@ -0,0 +1,36 @@
+/**
+ * @kind path-problem
+ * @problem.severity error
+ * @id githubsecuritylab/3-6
+ */
+
+ import python
+ import semmle.python.dataflow.new.DataFlow
+ import semmle.python.dataflow.new.TaintTracking
+ import semmle.python.ApiGraphs
+ import semmle.python.dataflow.new.RemoteFlowSources
+ import MyFlow::PathGraph
+
+ class ExecuteCall extends DataFlow::CallCfgNode {
+	ExecuteCall() {
+	this = API::moduleImport("django").getMember("db").getMember("connection").getMember("cursor").getReturn().getMember("execute").getACall()
+	}
+}
+
+ private module MyConfig implements DataFlow::ConfigSig {
+   predicate isSource(DataFlow::Node source) {
+	 source = API::moduleImport("flask").getMember("request").asSource()
+   }
+
+   predicate isSink(DataFlow::Node sink) {
+	 exists(ExecuteCall ec |
+		 sink = ec.getArg(0)
+	 	)
+   }
+ }
+
+ module MyFlow = TaintTracking::Global<MyConfig>; // or DataFlow::Global<..>
+
+ from MyFlow::PathNode source, MyFlow::PathNode sink
+ where MyFlow::flowPath(source, sink)
+ select sink.getNode(), source, sink, "Sample TaintTracking query"
diff --git a/3/7/instructions.md b/3/7/instructions.md
@@ -0,0 +1,2 @@
+You will need to use the VS Code CodeQL Starter Workspace for this challenge. See [setup](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#option-b-local-installation).
+CodeQL for Python stores all its security related queries in `python/ql/src/Security/` folder and experimental queries in `python/ql/src/experimental/Security`. The folder structure might differ a bit for other languages, for example Ruby in `ruby/ql/src/queries/security` or  C# in `csharp/ql/src/Security Features`.
diff --git a/3/8/instructions.md b/3/8/instructions.md
@@ -0,0 +1,2 @@
+Find all the sources using the `RemoteFlowSource` type.
+Feel free to choose a different project to query on, maybe you’ll find something interesting? To download a CodeQL database for any open source project on GitHub, check [setup instructions](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#select-codeql-database).
diff --git a/3/8/query.ql b/3/8/query.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind problem
+ * @problem.severity error
+ * @id githubsecuritylab/3-8
+ */
+import python
+import semmle.python.dataflow.new.RemoteFlowSources
+
+
+from RemoteFlowSource rfs
+select rfs, "A remote flow source"
diff --git a/3/9/instructions.md b/3/9/instructions.md
@@ -0,0 +1,2 @@
+Find all the SQL injection sinks. See what other sinks are available in `Concepts` and try to query for them.
+Feel free to choose a different project to query on.
diff --git a/3/9/query.ql b/3/9/query.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind problem
+ * @problem.severity error
+ * @id githubsecuritylab/3-9
+ */
+
+import python
+import semmle.python.Concepts
+
+from SqlExecution sink
+select sink, "Potential SQL injection sink"
diff --git a/README.md b/README.md
@@ -4,3 +4,4 @@ This repository contains challenges for the CodeQL Zero to Hero blog post series
 
 - Link to the first blog post—[CodeQL zero to hero part 1: the fundamentals of static analysis for vulnerability research](https://github.blog/2023-03-31-codeql-zero-to-hero-part-1-the-fundamentals-of-static-analysis-for-vulnerability-research/). The [challenges accompanying the blog post are in folder 1.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/1)
 - Link to the second blog post—[CodeQL zero to hero part 2: getting started with CodeQL](https://github.blog/2023-06-15-codeql-zero-to-hero-part-2-getting-started-with-codeql/). The [challenges accompanying the blog post are in folder 2.](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/tree/main/2)
+- Link to the third blog post-CodeQL zero to hero part 3: security research. The challenges accompanying the blog post are in folder 2.
diff --git a/codeql-pack.lock.yml b/codeql-pack.lock.yml
@@ -0,0 +1,22 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/dataflow:
+    version: 0.2.4
+  codeql/mad:
+    version: 0.2.13
+  codeql/python-all:
+    version: 0.11.13
+  codeql/regex:
+    version: 0.2.13
+  codeql/ssa:
+    version: 0.2.13
+  codeql/tutorial:
+    version: 0.2.13
+  codeql/typetracking:
+    version: 0.2.13
+  codeql/util:
+    version: 0.2.13
+  codeql/yaml:
+    version: 0.2.13
+compiled: false
diff --git a/codeql-pack.yml b/codeql-pack.yml
@@ -0,0 +1,7 @@
+---
+library: false
+warnOnImplicitThis: false
+name: getting-started/codeql-extra-queries-python
+version: 1.0.0
+dependencies:
+  codeql/python-all: ^0.11.13
diff --git a/images/alert-view.png b/images/alert-view.png

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Run the CWE-20 Untrusted APIs query on a repo of your choice. For Python in the VS Code CodeQL Starter Workspace, it is located in `vscode-codeql-starter/ql/python/ql/src/Security/CWE-020-ExternalAPIs/UntrustedDataToExternalAPI.ql`.
	`2`	`+Try to choose a new project, download its database from GitHub (see [setup](https://github.com/GitHubSecurityLab/codeql-zero-to-hero/blob/main/2/challenge-2/instructions.md#option-b-local-installation)) and run this query on it.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	+Set up MRVA using instructions [here](https://codeql.github.com/docs/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva/#controller-repository). Select top 10 repositories in the CodeQL extension tab. Choose one of the prewritten queries in your favorite language, right-click in the query file, and select CodeQL: Run Variant Analysis to start variant analysis. If you don’t find anything using that query, it’s likely because the project is already secured against that vulnerability. If you prefer, run one of the bigger lists with 100 or 1000 repositories.
	`2`	`+Caution: if you do find true positive vulnerabilities, make sure to verify them first and then report them using the coordinated disclosure process. See our [guide](https://github.blog/2022-02-09-coordinated-vulnerability-disclosure-cvd-open-source-projects/) for reporting vulnerabilities to open source.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+Run a query with `getAQlClass` predicate.
	`2`	`+`
	`3`	`+See example in this folder.`