Hello, Habr!
, (SAST) . SAST- , , , , . , . .
, -, , . , , , , , ( -, -) .
CodeQL, , . CodeQL . , , .
CodeQL- ( ) , - .
1. CodeQL
2. CodeQL
3.
4. LGTM
5. CodeQL
6.
7. CodeQL
8. ?
9.
CodeQL
CodeQL β open-source , SQL / . SAST (Static Application Security Testing).
, , . , , . , , , 5 for/while.
, , , .
CodeQL β Semmle, 2020 GitHub Security Lab. GitHub . 2000 QL-, , JavaScript C++.
CodeQL , (, , SemGrep), «» , , ( , ).
: C/C++, C#, Java, Go, Python, JavaScript/TypeScript. , .
CodeQL :
, CI/CD .
Visual Studio Code ad-hoc .
- LGTM, GitHub-.
CI/CD GitHub.
? . GitHub CTF bug bounty , , (CVE), 0-day .
CodeQL
, CodeQL :
, , , .
. β , ( , , . .), β . .
/ , .
0-day , . , , QL, .
CodeQL ( , , ).
QL , , , .
, CodeQL LGTM.
, . .
, Cross-Site Scripting:
( ), , :
VSCode:
CodeQL ( ), ( GET-) , . isSanitizer , , . , .
, ( ) , (. . source) , (. . sink).
LGTM
CodeQL - LGTM (Looks Good To Me). open-source , GitHub-.
CodeQL:
-
JavaScript, meteor/meteor.
.
Run .
, , :
import javascript
from ClassExpr ce
select ce
, client.js, eval()
, :
import javascript
from CallExpr call
where call.getCalleeName() = "eval"
and call.getLocation().getFile().getRelativePath().matches("%client.js")
select call, call.getAnArgument()
( ) ( eval()
) , . .
CodeQL
LGTM , CodeQL CLI .
, .
, , :
-
CodeQL CLI , ,
codeql
.
codeql
%PATH%
.
VSCode CodeQL ( , ):
git clone https://github.com/github/vscode-codeql-starter/
git submodule update --init --remote
( ) , ( JS
codeql-custom-queries-javascript
).
( , , ), ( JS) https://github.com/githubsatelliteworkshops/codeql/releases/download/v1.0/esbenabootstrap-pre-27047javascript.zip
.
.
VSCode Open workspace .
VSCode CodeQL ( ) , .
. (. 4)
example.ql
.
,
import javascript
from Expr e
select βWazzup!β
CodeQL . . , . , (AST), . CodeQL , . β , . , CodeQL , regex'.
CodeQL . , .
. JS my-js-codebase
, :
codeql database create my-js-codebase --language=javascript
, ( Maven Java)
β VSCode. CodeQL β βChoose Database from Folderβ
, - , .
CodeQL
, CodeQL JavaScript.
, jQuery- β$β ( $(arg1, arg2)) , , . jQuery:
/**
* @name QueryName
* @kind problem
* @id my_id_1
*/
// --
import javascript
// CodeQL
// JavaScript.
//
// , .
// semmle.javascript.NodeJS python.
from CallExpr dollarCall, Expr dollarArg
// dollarCall CallExpr
// dollarArg Expr.
// CallExpr - ,
// .
// Expr - , .
// Object.entries = function(obj)
// , Object, Object.entries, entries,
// function(obj), obj.
where dollarCall.getCalleeName() = "$"
// , .
// , (..
// ) getCaleeName() (
// ) dollarCall (
// ) "$"
and dollarArg = dollarCall.getArgument(0)
// AND
// , .
// , $
// dollarArg ( ,
// ).
select dollarCall, dollarArg
// , (
// ) .
, SQL, . , , CodeQL.
?
, CodeQL , .
( , open-source) - LGTM.
- , CodeQL. , CodeQL . :
https://lab.github.com/githubtraining/codeql-u-boot-challenge-(cc++) β CodeQL C/C++
https://lab.github.com/githubtraining/codeql-for-javascript:-unsafe-jquery-plugin β JavaScript Bootstrap CodeQL.
- GitHub, CodeQL Java- ( XStream):
, CodeQL, , , .
It is dangerous to go alone! CodeQL β , , , . CodeQL (, , ). Telegram, . , CodeQL.
, :
https://help.semmle.com/codeql/ β CodeQL .
https://help.semmle.com/QL/ql-handbook/ β .
https://help.semmle.com/QL/learn-ql/ β CodeQL .
https://securitylab.github.com/get-involved β , CodeQL, , , Slack- () CodeQL.
Disclaimer
. GitHub CodeQL . , OSI-approved . GitHub:
GitHub CodeQL can only be used on codebases that are released under an OSI-approved open source license, or to perform academic research, or to generate CodeQL databases for or during automated analysis, continuous integration (CI) or continuous delivery (CD) in the following cases: (1) on any Open Source Codebase hosted and maintained on GitHub.com, and (2) to test CodeQL queries you have released under an OSI-approved open source software license. It can't be used for automated analysis, continuous integration or continuous delivery, whether as part of normal software engineering processes or otherwise, except in the express cases set forth herein. For these uses, contact the sales team.