Catch security vulnerability thanks to custom CodeQL rule

Author: smelc

.github/codeql/codeql-config.yml

@@ -1,3 +1,3 @@
 queries:
-  # - uses: ./codeql-queries/Sarge.qls
+  - uses: ./codeql-queries/Joor.qls
   - uses: java-security-and-quality

.github/codeql/golden.csv

@@ -1 +1,2 @@
-Tool,Severity,Code,Description,Location,Line
+Tool,Code,Description,Location,Line
+CodeQL,java/code-injection,Tainted data passed to joor,main/java/com/moduscreate/java/security/codeql/App.java,18.0

README.md

@@ -1,5 +1,11 @@
 # java-security-codeql
 
+This repository is part of Tweag's experience sharing of using GitHub's
+[CodeQL](https://codeql.github.com/) static analysis tool. Other resources of ours include:
+
+* A variant of this repository using Python as the programming language of choice: https://github.com/smelc/sarge-security-codeql
+* A technical blog post: [Getting started with CodeQL, GitHub's declarative static analyzer for security](LINK TBD)
+
 ## Install the development environment
 
 We provide a [.envrc](./envrc) file to enter the development shell automatically.
@@ -24,3 +30,11 @@ Trigger vulnerabilities in another terminal:
 ```shell
 curl -X POST http://localhost:8080/api/invoke -d "method=sayHello"
 ```
+
+## Catching the vulnerability with CodeQL
+
+The query to catch the example vulnerability is in [queries/JoorMain.ql](./codeql-queries/JoorMain.ql). This query
+relies on library code located in [queries/JoorLib.qll](./codeql-queries/JoorLib.qll). Debugging code, used
+to find out how to write the main query is in [queries/Scratch.ql](./codeql-queries/Scratch.ql): this file
+gives insight how one discovers what to write in a CodeQL query (the blog post linked above
+explains this process in details).

codeql-queries/GetRemoteFlowSource.ql

@@ -12,5 +12,5 @@
 import java
 import semmle.code.java.dataflow.FlowSources
 
-from RemoteFlowSource src
+from ActiveThreatModelSource src
 select src, "Potential flow source"

codeql-queries/Joor.qls

@@ -0,0 +1 @@
+- query: ./JoorMain.ql

codeql-queries/JoorLib.qll

@@ -0,0 +1,19 @@
+/**
+ * This file has the qll extension because it is meant to be imported.
+ * ql files on the other hand, are meant to contain a query and so
+ * cannot be imported.
+ *
+ * See https://codeql.github.com/docs/ql-language-reference/modules/#kinds-of-modules
+ */
+
+import semmle.code.java.dataflow.FlowSources
+private import semmle.code.java.dataflow.internal.DataFlowPrivate
+
+class JoorSink extends ArgumentNode {
+  JoorSink() {
+    exists(MethodCall mc |
+      mc.getAnArgument() = this.asExpr() and
+      mc.getMethod().getQualifiedName() = "org.joor.Reflect.call"
+    )
+  }
+}

codeql-queries/JoorMain.ql

@@ -0,0 +1,32 @@
+/**
+ * @name Code injection
+ * @description Interpreting unsanitized user input as code allows a malicious user to perform arbitrary
+ *              code execution.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 9.3
+ * @sub-severity high
+ * @precision high
+ * @id java/code-injection
+ * @tags security
+ *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
+ *       external/cwe/cwe-116
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import JoorLib
+import JoorFlow::PathGraph // So that tainted paths render nicely in the CodeQL Query Results view
+
+private module JoorConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof JoorSink }
+}
+
+module JoorFlow = TaintTracking::Global<JoorConfig>;
+
+from JoorFlow::PathNode source, JoorFlow::PathNode sink
+where JoorFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "Tainted data passed to joor"

codeql-queries/Scratch.ql

@@ -0,0 +1,27 @@
+/**
+ * @name GetRemoteFlowSource
+ * @description Find all flow sources in the project
+ * @kind problem
+ * @tags correctness
+ * @problem.severity recommendation
+ * @sub-severity low
+ * @precision very-high
+ * @id py/get-remote-flow-source
+ */
+
+import java
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.dataflow.internal.DataFlowNodes
+private import semmle.code.java.dataflow.internal.DataFlowPrivate
+
+// from DataFlow::Node node
+// where node.getLocation().getFile().toString() = "App"
+//   and node.getLocation().getStartLine() = 18
+// //       and node.asExpr().(MethodCall).getMethod().getQualifiedName() = "org.joor.Reflect.call"
+// select node, node.getAQlClass(), "node" //, node.asExpr().(MethodCall), node.asExpr().(MethodCall).getMethod().getQualifiedName(), "node"
+from DataFlow::Node node
+where
+  node.getLocation().getFile().toString() = "App" and
+  node.getLocation().getStartLine() = 18
+// select node, node.(ArgumentNode).getCall().asCall().getQualifier()., "node"
+select node, "node", node.(ArgumentNode).asExpr(), "(ArgumentNode).asExpr()"