0

I'm new to CodeQL and trying to get better at it. I'm trying to create a CodeQL query that will find some flow from source to sink in the following code: https://github.com/joaomatosf/JavaDeserH2HC/blob/master/VulnerableHTTPServer.java

Is there a flow from com.sun.net.httpserver.HttpExchange.getRequestBody() to java.io.ObjectInputStream.readObject()? Yes, there is. So I know that what I'm looking for should exist if I can craft the correct query.

I started by creating a source and sink file.

Source:

import java

from MethodAccess call
where call.getMethod().hasQualifiedName("com.sun.net.httpserver", "HttpExchange", "getRequestBody")
select call

Sink:

import java

from MethodAccess call, Expr arg
where
 call.getMethod().hasQualifiedName("java.io", "ObjectInputStream", "readObject") and
 arg = call.getQualifier()
select call, "from", arg, "to"

It works, they find what I'm looking for. But when I try to find the flow it does not.

Flow:

/**
 * @name Empty block
 * @kind path-problem
 * @problem.severity warning
 * @id java/example/empty-block
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import DataFlow
import DataFlow::PathGraph

class DeserializationSink extends Node {
  
}

class JavaDeserialization extends TaintTracking::Configuration {
  JavaDeserialization() { this = "JavaDeserialization" }

  override predicate isSource(DataFlow::Node source) {
    exists(MethodAccess call |
      call.getMethod().hasQualifiedName("com.sun.net.httpserver", "HttpExchange", "getRequestBody") and
      source.asExpr() = call)
  }

  override predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess call |
      call.getMethod().hasQualifiedName("java.io", "ObjectInputStream", "readObject") and
      sink.asExpr() = call.getQualifier())
  }
}

from JavaDeserialization config, DataFlow::PathNode source, DataFlow::PathNode sink
where
  config.hasFlowPath(source, sink)
  select sink.getNode(), source, sink, "taint from $@.", source.getNode(), "here"

What am I doing wrong? Is there some problem with perhaps what I am returning to the nodes of isSource and isSink? Helpful for any advice.

Don_twice
  • 41
  • 1
  • 6
  • Because the JDK and any third party dependencies you are using are not compiled when you build the project, their dataflow won't be part of the database. Instead the CodeQL library has dataflow and taintflow paths for them hardcoded. Possibly it is just missing some of the classes you are using. Maybe try [debugging using partial flow](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/). If you notice indeed missing dataflow paths for the JDK classes, model them yourself and / or raise them on the CodeQL GitHub repo (and follow up here). – Marcono1234 May 24 '23 at 20:55

0 Answers0