Merge branch 'main' into go-local-sources

Author: GeekMasher

.devcontainer/devcontainer.json

@@ -0,0 +1,15 @@
+{
+    "name": "CodeQL-Community-Packs",
+    "extensions": [
+        "github.vscode-codeql",
+        "github.copilot"
+    ],
+    "settings": {
+        "codeQL.runningQueries.autoSave": true,
+        "codeQL.runningQueries.numberOfThreads": 4,
+        "codeQL.runningQueries.debug": true,
+        "editor.formatOnSave": true
+    },
+    "postCreateCommand": "git submodule init && git submodule update --recursive",
+    "remoteUser": "root"
+}

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# This project is maintained with love by:
+
+- @pwntester @geekmasher

.github/scripts/pr-configs.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -euo pipefail
+
+PR_NUMBER=${1}
+
+codeql_code="/tmp/codeql-test-code"
+codeql_db="/tmp/codeql-test-database"
+
+for file in $(gh pr view $PR_NUMBER --json files --jq '.files.[].path'); do
+    if [[ ! -f "$file" ]]; then
+        continue
+    fi
+
+    # config file
+    if [[ "$file" == configs/*.yml ]]; then
+        echo "[+] Compiling Config :: $file"
+
+        if [[ -d "$codeql_db" ]]; then
+            rm -rf "$codeql_db"
+        fi
+
+        mkdir -p "$codeql_code"
+        echo "print('Hello, World!')" > "$codeql_code/main.py"
+
+        codeql database create \
+            --source-root=$codeql_code \
+            --language=python \
+            --codescanning-config=$file \
+            "$codeql_db"
+    fi
+done

.github/workflows/build.yml

@@ -141,3 +141,34 @@ jobs:
           codeql pack install "${{ matrix.language }}/ext-library-sources/"
           codeql pack create "${{ matrix.language }}/ext-library-sources/"
 
+  configs:
+    runs-on: ubuntu-latest
+    needs: compile
+    
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+        id: changes
+        with:
+          filters: |
+            src:
+              - 'configs/**'
+      
+      - name: Initialize CodeQL
+        if: steps.changes.outputs.src == 'true'
+        run: |
+          VERSION="$(find "${{ runner.tool_cache }}/CodeQL/" -maxdepth 1 -mindepth 1 -type d -print \
+                       | sort \
+                       | tail -n 1 \
+                       | tr -d '\n')"
+          echo "$VERSION/x64/codeql" >> $GITHUB_PATH
+
+      - name: "Check Configurations"
+        if: steps.changes.outputs.src == 'true'
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          ./.github/scripts/pr-configs.sh "${{ github.event.number }}"
+
+

README.md

@@ -33,6 +33,18 @@ Using a `githubsecuritylab/codeql-LANG-queries` query pack will reference the de
     packs: githubsecuritylab/codeql-${{ matrix.language }}-queries
 ```
 
+### Using community packs with provided configuration file
+
+This repository has a number of [provided configuration files][configurations] you can use or copy from the community packs.
+
+```yaml
+- name: Initialize CodeQL
+  uses: github/codeql-action/init@v2
+  with:
+    languages: ${{ matrix.language }}
+    config-file: GitHubSecurityLab/CodeQL-Community-Packs/configs/default.yml@main
+```
+
 ### Using a community pack from the CLI configuration file
 
 ```bash
@@ -54,3 +66,7 @@ This project is licensed under the terms of the MIT open source license. Please
 ## Support
 
 Please [create GitHub issues](https://github.com/advanced-security/brew-dependency-submission-action) for any feature requests, bugs, or documentation problems.
+
+<!-- Resources / Links -->
+
+[configurations]: ./configs

configs/README.md

@@ -0,0 +1,26 @@
+# Community Configurations
+
+## [Default / CodeQL](default.yml)
+
+The `default.yml` configuration is the default config file used to make it easy to use the CodeQL Community Packs.  The queries included here are pulled in from the language `default suites` automatically when referencing the community packs.  The default suites as specified in each language's `{LANG}/src/qlpack.yml`.  The standard configuration is:
+```yml
+defaultSuiteFile: suites/{LANG}.qls
+```
+
+## [Audit](audit.yml)
+
+The `audit.yml` configuration is used primarily to conduct a security assessment of potentially vulnerable code, by running a number of audit queries with CodeQL.  Many of these queries operate on partial path queries, thus not seeking complete source/sink flows. Use these wide-ranging queries or [partial flow paths](https://codeql.github.com/docs/writing-codeql-queries/debugging-data-flow-queries-using-partial-flow/) as tools to infer potential taint disruptions and identify opportunities for customization improvements.
+
+These are based on the suite in each language suites folder called `{LANG}-audit.qls`
+
+> [!NOTE]
+> Current Ruby and Swift are not supported
+
+## [Synthetics](synthetics.yml)
+
+This `synthetics.yml` configuration is intended for analyzing synthetic ([intentionally vulnerable](https://owasp.org/www-project-vulnerable-web-applications-directory/)) code samples for vulnerabilities. This configuration uses all possible security queries/extensions from the CodeQL built in packs, the CodeQL Community Packs, and additional OSS packs. It also includes the queries from the built-in `security-experimental.qls` suite with additional lower precision/experimental queries:
+- queries marked as `@precision: low` or missing a precision
+- queries marked as `@problem.severity: recommendation`
+- queries in `\experimental\` folders
+
+This configuration will provide a more thorough analysis at the cost of longer analysis times and potential false positives.  Consider using the `audit.yml` configuration to look for additional false negative scenarios.

configs/audit.yml

@@ -0,0 +1,22 @@
+name: "GitHub Community Pack Audit Configuration"
+
+packs:
+  # C/C++
+  - githubsecuritylab/codeql-cpp-queries:suites/cpp-audit.qls
+  # C#
+  - githubsecuritylab/codeql-csharp-queries:suites/csharp-audit.qls
+  - githubsecuritylab/codeql-csharp-extensions
+  - githubsecuritylab/codeql-csharp-library-sources
+  # Go
+  - githubsecuritylab/codeql-go-queries:suites/go-audit.qls
+  # Java
+  - githubsecuritylab/codeql-java-queries:suites/java-audit.qls
+  - githubsecuritylab/codeql-java-extensions
+  - githubsecuritylab/codeql-java-library-sources
+  # JavaScript / Typescript
+  - githubsecuritylab/codeql-javascript-queries:suites/javascript-audit.qls
+  # Python
+  - githubsecuritylab/codeql-python-queries:suites/python-audit.qls
+  # Ruby
+  # - githubsecuritylab/codeql-ruby-queries:suites/ruby-audit.qls
+

configs/default.yml

@@ -0,0 +1,22 @@
+name: "GitHub Community Pack Default CodeQL Configuration"
+
+packs:
+  # C/C++
+  - githubsecuritylab/codeql-cpp-queries
+  # C#
+  - githubsecuritylab/codeql-csharp-queries
+  - githubsecuritylab/codeql-csharp-extensions
+  - githubsecuritylab/codeql-csharp-library-sources
+  # Go
+  - githubsecuritylab/codeql-go-queries
+  # Java
+  - githubsecuritylab/codeql-java-queries
+  - githubsecuritylab/codeql-java-extensions
+  - githubsecuritylab/codeql-java-library-sources
+  # JavaScript / Typescript
+  - githubsecuritylab/codeql-javascript-queries
+  # Python
+  - githubsecuritylab/codeql-python-queries
+  # Ruby
+  - githubsecuritylab/codeql-ruby-queries
+

configs/synthetics.yml

@@ -0,0 +1,116 @@
+# Use this configuration file when looking to get the broadest coverage of security results from the CodeQL Built in packs and the GitHub Security Lab Community packs.
+# WARNING: A notable amount of false positives may be found in this configuration.  If you wish to reduce the number of false positives, use the default codeql suites :)
+# NOTE: This configuration will not include audit level queries intended for gathering information about the codebase, and debugging queries intended for CodeQL developers.
+
+name: "Synthetic Apps All Queries Config"
+
+# expand thread model - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models
+threat-models: local
+
+# start from scratch - https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#disabling-the-default-queries
+disable-default-queries: true
+
+packs:
+    # All queries from the CodeQL Built in packs (including low/no precision queries)
+    - codeql/cpp-queries:.
+    - codeql/csharp-queries:.
+    - codeql/go-queries:.
+    - codeql/java-queries:.
+    - codeql/javascript-queries:.
+    - codeql/python-queries:.
+    - codeql/ruby-queries:.
+    - codeql/swift-queries:.
+
+    # OSS queries from the default suites
+
+    ### GitHub Security Lab###
+    # Queries via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs (NOTE: the default suites do not include audit/debugging queries)
+    - githubsecuritylab/codeql-cpp-queries
+    - githubsecuritylab/codeql-csharp-queries
+    - githubsecuritylab/codeql-go-queries
+    - githubsecuritylab/codeql-java-queries
+    - githubsecuritylab/codeql-javascript-queries
+    - githubsecuritylab/codeql-python-queries
+    - githubsecuritylab/codeql-ruby-queries
+
+    # Queries via Community Packs that use local sources https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-java-queries:suites/java-local.qls
+    - githubsecuritylab/codeql-python-queries:suites/python-local.qls
+
+    # Data extensions via Community Packs for libraries (library ext models are those generated by the corresponding queries in src) https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-library-sources
+    - githubsecuritylab/codeql-java-library-sources
+
+    # Data extensions via Community Packs https://github.com/GitHubSecurityLab/CodeQL-Community-Packs
+    - githubsecuritylab/codeql-csharp-extensions
+    - githubsecuritylab/codeql-java-extensions
+
+    ### Trail of Bits ###
+    # Queris via packs: https://github.com/trailofbits/codeql-queries  (default suites include security + crypto
+    - trailofbits/cpp-queries
+    - trailofbits/go-queries
+
+# Start with Security Experimental (lightly documented: https://github.com/github/codeql/pull/11702) : https://github.com/github/codeql/blob/main/misc/suite-helpers/security-experimental-selectors.yml
+# - precision ( low + Low or EXCLUDED precision)
+# + problem.severity: recommendation
+# - restriction of no experimental folder
+# - restriction of audit/debugging queries from community packs
+query-filters:
+    - include:
+          kind:
+              - problem
+              - path-problem
+          tags contain:
+              - security
+    - include:
+          kind:
+              - diagnostic
+    - include:
+          kind:
+              - metric
+          tags contain:
+              - summary
+    - exclude:
+          deprecated: //
+    - exclude:
+          query path:
+              # REMOVE exclude - OK even if they exist in experimental folder
+              #- /^experimental\/.*/
+              - Metrics/Summaries/FrameworkCoverage.ql
+              - /Diagnostics/Internal/.*/
+    - exclude:
+          tags contain:
+              - modeleditor
+              - modelgenerator
+    # Exclude audit queries from the CodeQL Built in packs
+    - exclude:
+          id:
+              - cpp/untrusted-data-to-external-api
+              - cs/untrusted-data-to-external-api
+              - go/untrusted-data-to-external-api
+              - java/untrusted-data-to-external-api
+              - js/untrusted-data-to-external-api
+              - py/untrusted-data-to-external-api
+
+    # Remove debugging, and audit queries used by community packs (this is duplicative of the default suites from those community packs)
+    - exclude:
+          tags contain:
+              - debugging
+              - audit
+
+#Additional extractor excludes:  https://github.com/github/codeql/blob/768e5190a1c9d40a4acc7143c461c3b114e7fd59/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java#L421-L427C42
+paths-ignore:
+    # Python
+    - "vendor/**"
+    - "examples/**"
+    - "tests/**"
+
+    # JavaScript
+    - "node_modules"
+    - "**/*.test.js"
+    - "**/*.test.tsx"
+    - "**/*.spec.ts"
+    - "**/*.spec.tsx"
+    - "dist"
+    - "CoverageResults"    
+    - "**/wwwroot/lib/**"

csharp/ext/manual/java-dotenv.model.yml

@@ -0,0 +1,22 @@
+extensions:
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sourceModel
+    data:
+      - ["io.github.cdimascio.dotenv","Dotenv",true,"get","(String)","","ReturnValue","local","manual"]
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: sinkModel
+    data: []
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data: []
+
+  - addsTo:
+      pack: codeql/java-all
+      extensible: neutralModel
+    data:
+      - ["io.github.cdimascio.dotenv","Dotenv","load","()","summary","manual"]

go/lib/codeql-pack.lock.yml

@@ -2,15 +2,17 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/dataflow:
-    version: 0.0.3
+    version: 0.2.7
   codeql/go-all:
-    version: 0.6.4
+    version: 0.8.1
   codeql/mad:
-    version: 0.1.4
+    version: 0.2.16
   codeql/ssa:
-    version: 0.1.4
+    version: 0.2.16
   codeql/tutorial:
-    version: 0.1.4
+    version: 0.2.16
+  codeql/typetracking:
+    version: 0.2.16
   codeql/util:
-    version: 0.1.4
+    version: 0.2.16
 compiled: false

go/src/audit/CWE-089/SqlInjectionAudit.ql

@@ -12,24 +12,30 @@
  */
 
 import go
-import semmle.go.security.SqlInjection
-import DataFlow::PathGraph
 import ghsl.Utils
+private import semmle.go.security.SqlInjectionCustomizations
 
 /**
  * A taint-tracking configuration for detecting SQL injection vulnerabilities.
  */
-class SqlInjectionAudit extends TaintTracking::Configuration {
-  SqlInjectionAudit() { this = "SqlInjectionAudit" }
+private module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof DynamicStrings }
+  predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof SqlInjection::Sink }
+  predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
+    NoSql::isAdditionalMongoTaintStep(pred, succ)
+  }
 
-  override predicate isSanitizer(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
+  predicate isBarrier(DataFlow::Node node) { node instanceof SqlInjection::Sanitizer }
 }
 
-from SqlInjectionAudit config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "This SQL query depends on $@.", source.getNode(),
-  "a user-provided value"
+/** Tracks taint flow for reasoning about SQL-injection vulnerabilities. */
+module Flow = TaintTracking::Global<Config>;
+
+import Flow::PathGraph
+
+from Flow::PathNode source, Flow::PathNode sink
+where Flow::flowPath(source, sink)
+select sink.getNode(), source, sink, "This query depends on a $@.", source.getNode(),
+  "user-provided value"