GitHubSecurityLab · GeekMasher · May 30, 2024 · Jan 18, 2024 · Jan 18, 2024 · Jan 18, 2024
diff --git a/go/lib/codeql-pack.lock.yml b/go/lib/codeql-pack.lock.yml
@@ -2,15 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/go-all:
-    version: 0.6.4
+    version: 0.8.1
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
 compiled: false
diff --git a/go/src/audit/CWE-089/SqlInjectionAudit.ql b/go/src/audit/CWE-089/SqlInjectionAudit.ql
@@ -12,24 +12,30 @@
  */
 
 import go
-import semmle.go.security.SqlInjection
-import DataFlow::PathGraph
 import ghsl.Utils
+private import semmle.go.security.SqlInjectionCustomizations
 
 /**
  * A taint-tracking configuration for detecting SQL injection vulnerabilities.
  */
-class SqlInjectionAudit extends TaintTracking::Configuration {
-  SqlInjectionAudit() { this = "SqlInjectionAudit" }
+private module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
+  predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    NoSql::isAdditionalMongoTaintStep(pred, succ)
+  }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
 }
 
-from SqlInjectionAudit config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
-  "a user-provided value"
+/** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */
+module Flow = TaintTracking::Global<Config>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  "user-provided value"
diff --git a/go/src/audit/explore/RemoteFlowSources.ql b/go/src/audit/explore/RemoteFlowSources.ql
@@ -8,7 +8,7 @@
 
 import semmle.go.security.FlowSources
 
-from UntrustedFlowSource source
+from RemoteFlowSource::Range source
 where not source.getFile().getRelativePath().matches("%/test/%")
 select source, "remote", source.getFile().getRelativePath(), source.getStartLine(),
   source.getEndLine(), source.getStartColumn(), source.getEndColumn()
diff --git a/go/src/codeql-pack.lock.yml b/go/src/codeql-pack.lock.yml
@@ -2,15 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/go-all:
-    version: 0.6.4
+    version: 0.8.1
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
 compiled: false
diff --git a/go/src/security/CWE-078/CommandInjection.ql b/go/src/security/CWE-078/CommandInjection.ql
@@ -15,9 +15,12 @@ import go
 import semmle.go.security.CommandInjection
 import semmle.go.security.FlowSources
 
+/**
+ * Flow configuration for command injection
+ */
 module FlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node node) {
-    exists(UntrustedFlowSource source, Function function, DataFlow::CallNode callNode |
+    exists(RemoteFlowSource::Range source, Function function, DataFlow::CallNode callNode |
       source.asExpr() = node.asExpr() and
       source.(DataFlow::ExprNode).asExpr().getEnclosingFunction() = function.getFuncDecl() and
       (
@@ -33,11 +36,21 @@ module FlowConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CommandInjection::Sink s | sink = s | not s.doubleDashIsSanitizing())
   }
+
+  predicate isBarrier(DataFlow::Node node) { node instanceof CommandInjection::Sanitizer }
 }
 
 module Flow = TaintTracking::Global<FlowConfig>;
 
-from Flow::PathNode source, Flow::PathNode sink
-where Flow::flowPath(source, sink)
+module FlowGraph =
+  DataFlow::MergePathGraph<Flow::PathNode, CommandInjection::DoubleDashSanitizingFlow::PathNode,
+    Flow::PathGraph, CommandInjection::DoubleDashSanitizingFlow::PathGraph>;
+
+import FlowGraph::PathGraph
+
+from FlowGraph::PathNode source, FlowGraph::PathNode sink
+where
+  Flow::flowPath(source.asPathNode1(), sink.asPathNode1()) or
+  CommandInjection::DoubleDashSanitizingFlow::flowPath(source.asPathNode2(), sink.asPathNode2())
 select sink.getNode(), source, sink, "This command depends on a $@.", source.getNode(),
   "user-provided value"
diff --git a/go/test/codeql-pack.lock.yml b/go/test/codeql-pack.lock.yml
@@ -2,19 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/go-all:
-    version: 0.6.4
-  codeql/go-queries:
-    version: 0.6.4
+    version: 0.8.1
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
-  codeql/suite-helpers:
-    version: 0.6.4
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
 compiled: false
diff --git a/go/test/qlpack.yml b/go/test/qlpack.yml
@@ -2,7 +2,7 @@ name: githubsecurtylab/codeql-go-tests
 groups: [go, test]
 dependencies:
     codeql/go-all: '*'
-    codeql/go-queries: '*'
+      # codeql/go-queries: '*'
     githubsecuritylab/codeql-go-queries: '*'
     githubsecuritylab/codeql-go-libs: '*'
 extractor: go

diff --git a/go/test/security/CWE-078/cmdi.expected b/go/test/security/CWE-078/cmdi.expected
@@ -1,16 +1,10 @@
 edges
-| main.go:11:13:11:19 | selection of URL | main.go:11:13:11:27 | call to Query |
-| main.go:11:13:11:27 | call to Query | main.go:12:22:12:28 | cmdName |
-| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query |
-| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName |
+| main.go:20:14:20:20 | selection of URL | main.go:20:14:20:28 | call to Query | provenance | MaD:732 |
+| main.go:20:14:20:28 | call to Query | main.go:27:22:27:28 | cmdName | provenance |  |
 nodes
-| main.go:11:13:11:19 | selection of URL | semmle.label | selection of URL |
-| main.go:11:13:11:27 | call to Query | semmle.label | call to Query |
-| main.go:12:22:12:28 | cmdName | semmle.label | cmdName |
 | main.go:20:14:20:20 | selection of URL | semmle.label | selection of URL |
 | main.go:20:14:20:28 | call to Query | semmle.label | call to Query |
 | main.go:27:22:27:28 | cmdName | semmle.label | cmdName |
 subpaths
 #select
-| main.go:12:22:12:28 | cmdName | main.go:11:13:11:19 | selection of URL | main.go:12:22:12:28 | cmdName | This command depends on a $@. | main.go:11:13:11:19 | selection of URL | user-provided value |
 | main.go:27:22:27:28 | cmdName | main.go:20:14:20:20 | selection of URL | main.go:27:22:27:28 | cmdName | This command depends on a $@. | main.go:20:14:20:20 | selection of URL | user-provided value |