Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

[Golang] Additional Taint Step hidden in PathGraph Visualisation #20596

Answered by smowton
KseniiaSmirn0va asked this question in Q&A
Discussion options

Hello,
I added a taint step by extending TaintTracking::AdditionalTaintStep in golang. Now codeql builds the path with this step correctly, but I don't see the step itself in the alerts section, version 2.21.0.

Here is a simplified code snippet for my query, which works like a charm:

// url comes already tainted
func GetImageInfo(url string) (int32, int32, error) {
	...
	req, err := http.NewRequest(http.MethodGet, url, nil) // my taint step: taint from url to the req variable
	req = req.WithContext(extmon.MethodNameToCtx(req.Context(), "Get"))
	var resp *http.Response
	resp, err = transport.RoundTrip(req) // RoundTrip() is sink
	...
}

The problem is, when I click through the steps in the alerts section, the only two steps for this function I see are:
func GetImageWH(url string) (int32, int32, error) { - definition of url
resp, err = transport.RoundTrip(req) - req

  1. How to make my customised taint step visible in the path?
  2. And when it becomes visible, I'd like to name the taint step as NewRequestStep in the graph visualisation, instead of definition of url. How can I customise this if possible?

I need to explicitly reflect in the query results that my taint step contributed to the flow, for my internal SAST metrics/statistics.

Thanks for taking time with this!
You must be logged in to vote

You could try in your data-flow configuration specifying predicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

The names printed in the path explanation refer to nodes, not edges, but you could try something like class CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

Replies: 2 comments 5 replies

Comment options

You could try in your data-flow configuration specifying predicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

The names printed in the path explanation refer to nodes, not edges, but you could try something like class CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.
You must be logged in to vote
3 replies
Comment options

Thank you so much! That helps a lot.
Comment options

@smowton Hello,
Now I'm trying to do the same for Csharp, but Csharp DataFlow::Node has the final annotation so I can't override it:
final string toString() { result = this.(NodeImpl).toStringImpl() }.

Is there any way to solve it out?
Comment options

Hmm, well you could wrap the types involved in the PathGraph's nodes, edges, subpaths relations? Remove import SomeFlow::PathGraph and instead do something like...

string customToString(PathNode n) { ... your custom stringification here ... }
newtype TMyPathNode = TWrapPathNode(PathNode pn)
class MyPathNode extends TMyPathNode {
 PathNode pn;
 MyPathNode() { this = TWrapPathNode(pn) }
 string toString() {
 result = customToString(pn)
 or
 not exists(customToString(pn)) and result = pn.toString()
 }
 PathNode getPathNode() { result = pn }
}
query predicate nodes(MyPathNode mpn) {
 SomeFlow::PathGraph::nodes(mpn.getPathNode())
}
query predicate edges(MyPathNode mpn1, MyPathNode mpn2) {
 SomeFlow::PathGraph::edges(mpn1.getPathNode(), mpn2.getPathNode())
}
query predicate subpaths(...) // similar
Answer selected by KseniiaSmirn0va
Comment options

We already make sure that we never skip over steps coming from function models for any configuration. We could do additional taint steps too.

There are edge labels for some edges, e.g. those coming from function models or from additional flow steps specified in the flow configuration. For steps coming from TaintTracking::AdditionalTaintStep the label is "AdditionalTaintStep". We could make that customizable when you define the additional taint step.

Would either of these be helpful, @KseniiaSmirn0va ? Or has @smowton's suggestions already solved your problem?
You must be logged in to vote
2 replies
Comment options

Thank you, @owen-mc, for the suggestion! Did you mean a new patch is coming out for the feature I need?
Actually, I've solved out the matter with @smowton's suggestion
Comment options

Glad to hear your problem is solved. In that case I will not implement the more general solution that I suggested.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet

AltStyle によって変換されたページ (->オリジナル) /