preface
Before we use codeql for code audit, we might as well learn some basic syntax of QL to sharpen the knife without mistaking the firewood.
Official tutorial link: https://codeql.github.com/docs/writing-codeql-queries/ql-tutorials/
In this tutorial, as a detective, we use QL to investigate the problems we encounter
QL introduction
Through some simple exercises and examples to help us understand the basic knowledge of QL and CodeQL
Anyone who has used SQL will look familiar with the basic syntax of QL, but its use is slightly different.
QL is a logic programming language, so it is composed of logic formulas. QL uses common logical connectives (such as and,or, and not), quantifiers (such as foralland exists), and other important logical concepts (such as predicates).
QL also supports recursion and aggregation. This allows you to write complex recursive queries using simple QL syntax and use aggregations directly, such as count, sum, and average.
The following examples run on VScode with the environment configured
- Output hello world
import python select "hello world"
- More general queries
import <language> /* Import the corresponding language pack */ /* Possible settings of some predicate parts */ from /* Declare variables, etc */ where /* Set logical expression */ select /* Print results */
- Make a multiplication
import python from int i,int j where i=6 and j=8 select i*j
It should be noted that there are five types in codeql: int date float boolean string. Each type has a corresponding predicate (which can also be understood as a function first) that can be called. When we need to input a function, we will prompt it in vscode like we wrote java or python before.
- Query string length
import python select "springbird".length()
- Write a query that returns the sine of the smaller of 3 ^ 5 and 245.6.
import python from float x,float y where x=3.pow(5) and y=245.6 select x.minimum(y).sin()
- Returns the opposite value of false
import python from boolean x where x=false select x.booleanNot()
- Write a query to calculate the number of days between June 10 and September 28, 2017
from date start, date end where start = "10/06/2017".toDate() and end = "28/09/2017".toDate() select start.daysTo(end)
In the above query, we all have a result with the value select. We can also use select to output multiple results, like
select 1,2,3
- Calculate all Pythagorean triples between 1 and 10
from int x,int y,int z where x in [1,2,3,4,5,6,7,8,9,10] and y in [1,2,3,4,5,6,7,8,9,10] and z in [1,2,3,4,5,6,7,8,9,10] and x*x+y*y=z*z select x,y,z
We can see that [1,2,.... 10] in the above code is repeated here, and x*x and y*y are also repeated here, so we can consider defining it as a class to facilitate code reuse
class SmallInt extends int{
SmallInt(){
this in [1,2,3,4,5,6,7,8,9,10]
}
int square(){
result=this*this
}
}
from SmallInt x, SmallInt y, SmallInt z
where x.square() + y.square() = z.square()
select x, y, z
Here, we have learned about the built-in primitive types in ql, but we actually want to analyze the vulnerabilities in the code, so now we need to further understand how to use CodeQL to analyze the project code
Here we use a python flash project
- Which function parameters in the query item are greater than 7
The from clause here defines a variable ftemp representing the python function. The where part limits the number of parameters as required. Finally, select finds the result
import python from Function tempf where count(tempf.getAnArg())>7 select tempf
There is another case of javascript and java left in this part, so I won't repeat it
END
A WeChat safety exchange group was built. Welcome to add WeChat notes to the group, chat with us, and a official account that will publish security related content. Welcome to the attention. 😃
