CodeQL实战：Java微服务安全漏洞检测<\/h1>

1. CodeQL基础与数据库构建<\/h2>

1.1 数据库构建命令<\/h3>
构建Java项目的CodeQL数据库：<\/p>
codeql database create ~\/xxxxxx\/micro-service-seclab-database \
<\/span><\/span><\/span><\/span>--language=<\/span>"java"<\/span> \
<\/span><\/span><\/span><\/span>--command=<\/span>"mvn clean package -Dmaven.test.skip=true"<\/span> \
<\/span><\/span><\/span><\/span>--source-root=<\/span>.\/micro-service-seclab\/
<\/span><\/span><\/code><\/pre>1.2 核心概念<\/h3>

RemoteFlowSource<\/strong>: 远程用户输入的数据流源<\/li>
TaintTracking::Configuration<\/strong>: 污点跟踪配置基类<\/li>
DataFlow::PathGraph<\/strong>: 数据流路径图<\/li>
<\/ul>
2. SQL注入检测<\/h2>
2.1 基础SQL注入检测<\/h3>
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
import DataFlow::PathGraph

class VulConfig extends TaintTracking::Configuration {
  VulConfig() { this = "SqlInjectionConfig" }
  
  override predicate isSource(DataFlow::Node src) {
    src instanceof RemoteFlowSource
  }
  
  override predicate isSink(DataFlow::Node sink) {
    exists(Method method, MethodAccess call |
      method.hasName("query") and
      call.getMethod() = method and
      sink.asExpr() = call.getArgument(0)
    )
  }
}

from VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select source.getNode(), source, sink, "source"
<\/code><\/pre>
2.2 误报处理<\/h3>
对于List<Long><\/code>、List<Integer><\/code>等类型会产生误报，需要添加isSanitizer<\/code>：<\/p>
override predicate isSanitizer(DataFlow::Node node) {
  node.getType() instanceof PrimitiveType or
  node.getType() instanceof BoxedType or
  node.getType() instanceof NumberType or
  exists(ParameterizedType pt |
    node.getType() = pt and
    pt.getTypeArgument(0) instanceof NumberType
  )
}
<\/code><\/pre>
类型系统说明：<\/p>

PrimitiveType<\/strong>: boolean, byte, short, char, int, long, float, double<\/li>
BoxedType<\/strong>: Boolean, Byte, Short, Character, Integer, Long, Float, Double<\/li>
NumberType<\/strong>: java.lang.Number的子类型<\/li>
ParameterizedType<\/strong>: 泛型类的实例化，如List<\/li>
<\/ul>
2.3 漏报处理 - Optional类型<\/h3>
处理Optional<String><\/code>类型的漏报：<\/p>
predicate isTaintedString(Expr expSrc, Expr expDest) {
  exists(Method method, MethodAccess call, MethodAccess call1 |
    expSrc = call1.getArgument(0) and
    expDest = call and
    call.getMethod() = method and
    method.hasName("get") and
    method.getDeclaringType().toString() = "Optional<String>" and
    call1.getArgument(0).getType().toString() = "Optional<String>"
  )
}

override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
  isTaintedString(node1.asExpr(), node2.asExpr())
}
<\/code><\/pre>
3. Fastjson反序列化检测<\/h2>
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
import DataFlow::PathGraph

class FastjsonVulConfig extends TaintTracking::Configuration {
  FastjsonVulConfig() { this = "fastjson" }
  
  override predicate isSource(DataFlow::Node src) {
    src instanceof RemoteFlowSource
  }
  
  override predicate isSink(DataFlow::Node sink) {
    exists(Method method, MethodAccess call |
      method.hasName("parseObject") and
      call.getMethod() = method and
      sink.asExpr() = call.getArgument(0)
    )
  }
}

from FastjsonVulConfig fastjsonVul, DataFlow::PathNode source, DataFlow::PathNode sink
where fastjsonVul.hasFlowPath(source, sink)
select source.getNode(), source, sink, "source"
<\/code><\/pre>
4. SSRF检测<\/h2>
4.1 基础SSRF检测<\/h3>
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.security.QueryInjection
import DataFlow::PathGraph
import semmle.code.java.security.RequestForgeryConfig

class SSRFVulConfig extends TaintTracking::Configuration {
  SSRFVulConfig() { this = "SSRFVulConfig" }
  
  override predicate isSource(DataFlow::Node src) {
    src instanceof RemoteFlowSource
  }
  
  override predicate isSink(DataFlow::Node sink) {
    sink instanceof RequestForgerySink
  }
}

from SSRFVulConfig ssrfVulConfig, DataFlow::PathNode source, DataFlow::PathNode sink
where ssrfVulConfig.hasFlowPath(source, sink)
select source.getNode(), source, sink, "source"
<\/code><\/pre>
4.2 漏报处理1 - String.valueOf(URL)<\/h3>
方法1：修改RequestForgery.qll源码，添加对String.valueOf(URL)的处理：<\/p>
class TypeStringLib extends RefType {
  TypeStringLib() { this.hasQualifiedName("java.lang", "String") }
}

class StringValue extends MethodAccess {
  StringValue() {
    this.getCallee().getDeclaringType() instanceof TypeStringLib and
    this.getCallee().hasName("valueOf")
  }
}

private class DefaultRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
    \/\/ 原有逻辑...
    or
    \/\/ 处理String.valueOf(URL)
    exists(StringValue c |
      c.getArgument(0) = pred.asExpr() |
      succ.asExpr() = c
    )
  }
}
<\/code><\/pre>
方法2：不改写lib，直接改写QL查询：<\/p>
class TypeStringLib extends RefType {
  TypeStringLib() { this.hasQualifiedName("java.lang", "String") }
}

class StringValue extends MethodAccess {
  StringValue() {
    this.getCallee().getDeclaringType() instanceof TypeStringLib and
    this.getCallee().hasName("valueOf")
  }
}

private class MyRequestForgeryAdditionalTaintStep extends RequestForgeryAdditionalTaintStep {
  override predicate propagatesTaint(DataFlow::Node pred, DataFlow::Node succ) {
    exists(UriCreation c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c) or
    exists(UrlConstructorCall c | c.getHostArg() = pred.asExpr() | succ.asExpr() = c) or
    exists(StringValue c | c.getArgument(0) = pred.asExpr() | succ.asExpr() = c)
  }
}
<\/code><\/pre>
4.3 漏报处理2 - OkHttpClient<\/h3>
处理OkHttpClient的链式调用：<\/p>
MethodAccess url(MethodAccess ma, DataFlow::Node node) {
  exists(MethodAccess mc |
    mc = ma.getAChildExpr() |
    if mc.getCallee().hasName("url") and mc.getArgument(0) = node.asExpr()
    then result = mc
    else result = url(mc, node)
  )
}

MethodAccess m(DataFlow::Node node) {
  exists(MethodAccess ma |
    ma.getCallee().hasName("build") and
    ma.getCallee().getDeclaringType().hasName("Builder") |
    result = url(ma, node)
  )
}

override predicate isSink(DataFlow::Node sink) {
  sink instanceof RequestForgerySink or
  exists(m(sink))
}
<\/code><\/pre>
5. XXE检测<\/h2>
import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.ExternalFlow
import DataFlow::PathGraph

class XXEVulConfig extends TaintTracking::Configuration {
  XXEVulConfig() { this = "XXEVulConfig" }
  
  override predicate isSource(DataFlow::Node src) {
    src instanceof RemoteFlowSource
  }
  
  override predicate isSink(DataFlow::Node sink) {
    exists(Method method, MethodAccess call |
      method.hasName("parse") and
      call.getMethod() = method and
      sink.asExpr() = call.getArgument(0)
    )
  }
}

from XXEVulConfig xxeVulConfig, DataFlow::PathNode source, DataFlow::PathNode sink
where xxeVulConfig.hasFlowPath(source, sink)
select source.getNode(), source, sink, "source"
<\/code><\/pre>
6. 最佳实践<\/h2>

积极查阅标准库<\/strong>：遇到不熟悉的类或方法时，应积极查阅CodeQL standard libraries<\/li>
多积累记录<\/strong>：建立自己的查询代码库，积累常见漏洞模式<\/li>
误报处理<\/strong>：通过isSanitizer精准过滤非漏洞路径<\/li>
漏报处理<\/strong>：通过isAdditionalTaintStep补充数据流传播规则<\/li>
语法树分析<\/strong>：对于复杂调用链，先分析语法树结构再编写对应查询<\/li>
<\/ol>
通过以上方法，可以构建针对Java微服务应用的全面安全检测方案，覆盖SQL注入、Fastjson反序列化、SSRF、XXE等常见漏洞类型。<\/p>