-
Notifications
You must be signed in to change notification settings - Fork 1.9k
CodeQL query for Javascript project #20552
-
Hi everyone,
I’m working on developing CodeQL queries for JavaScript and would like your input. My goals are:
1. Check if a given OSS package is present in package.json.
2. Verify if the OSS package is actually imported in the code.
3. Generate a call graph.
4. Determine whether a sink function is reachable and executed.
5. Assess if the sink function is exploitable.
So far, I’ve been able to generate the call graph. I’d appreciate any guidance on whether the other checks are feasible with CodeQL, and suggestions on how to approach them.
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 1
Replies: 3 comments 2 replies
-
Hi @Sridharc20,
Thanks for your question.
- Check if a given OSS package is present in package.json.
This can be checked using the PackageJson class.
- Verify if the OSS package is actually imported in the code.
This can be checked using the Import class.
- Determine whether a sink function is reachable and executed.
- Assess if the sink function is exploitable.
For these you would likely want to have a look a dataflow.
Beta Was this translation helpful? Give feedback.
All reactions
-
🎉 1
-
I would like to automate this process, but I’ve found that generalizing a CodeQL query (source-to-sink) for any vulnerability is not feasible. For each vulnerability, I need to modify the CodeQL query accordingly. Any guidance on this would be greatly appreciated.
Essentially, my goal is to automate the following steps using CodeQL:
- Trace code paths to determine whether the vulnerable code is reachable from entry points (e.g., main functions, API endpoints, event handlers).
- Identify all potential entry points where execution begins or where external inputs are processed.
- Determine whether external inputs (such as user data, API requests, or file inputs) can reach the vulnerable code.
Beta Was this translation helpful? Give feedback.
All reactions
-
❤️ 1
-
Trace code paths to determine whether the vulnerable code is reachable from entry points (e.g., main functions, API endpoints, event handlers).
Identify all potential entry points where execution begins or where external inputs are processed.
Determine whether external inputs (such as user data, API requests, or file inputs) can reach the vulnerable code.
This is what the dataflow library is for. But it sound like you want to automate something on top of that? It is not clear to me what though.
Beta Was this translation helpful? Give feedback.
All reactions
-
hi @jketema san,
thanks for considering,
I need to generate a call graph (which function calls which).
I also have a source and sink function defined.
I want a CodeQL query that shows the data flow from source to sink.
import DataFlow::PathGraph
class Config extends TaintTracking::Configuration {
Config() { this = "Config" }
override predicate isSource(DataFlow::Node source) {
source.getFile().getBaseName().toString() = "rest_handler.ts"
and
source.toString() = "validateTestRequest"
}
override predicate isSink(DataFlow::Node sink) {
sink.getFile().getBaseName().toString() = "axiosUtils.ts"
and
(sink.toString() = "axios.get" or sink.toString() = "axios.post")
}
}
from Config config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select sink, source
I’m getting an empty result from the query, even though the source and sink work individually when tested separately.
Please help
Beta Was this translation helpful? Give feedback.
All reactions
-
It is hard to tell what is going on without seeing the JS/TS code you're trying to analyze. However, going by the name validateTestRequest doesn't look like data that would flow to axios.post.
Beta Was this translation helpful? Give feedback.