CodeQL 提升篇 - 高级技巧与实践指南<\/h1>

一、基础功能增强<\/h2>

1. 编译闭源项目创建数据库<\/h3>
使用工具: codeql_compile<\/a><\/li>
解决闭源项目无法直接创建CodeQL数据库的问题<\/li> <\/ul>
2. 历史查询功能<\/h3>
在VSCode左侧的QUERY HISTORY中:
点击切换历史查询内容<\/li>
右键可进行结果比对等功能<\/li> <\/ul> <\/li> <\/ul>
3. 查看AST<\/h3>
操作步骤:
在VSCode左侧选中Java文件<\/li>
点击"View AST"查看抽象语法树<\/li>
点击Java文件中的类\/方法会自动定位到AST对应节点<\/li> <\/ol> <\/li> <\/ul>
4. 快速查询<\/h3>
在编写谓词上方有快速查询按钮<\/li>
点击可立即查询当前谓词的结果<\/li> <\/ul>
二、核心语法技巧<\/h2>

1. 获取具体QL类型<\/h3>
from Expr e, Callable c
where e.getEnclosingCallable() = c
select e, e.getAQlClass()
<\/code><\/pre>
2. 范围缩小优化<\/h3>
优化前(性能差):<\/p>
override predicate isSink(DataFlow::Node sink) {
  sink.asExpr().getParent() instanceof ReturnStmt
}
<\/code><\/pre>
优化后(添加限定条件):<\/p>
override predicate isSink(DataFlow::Node sink) {
  sink.asExpr().getParent() instanceof ReturnStmt and
  sink.asExpr().getEnclosingCallable().hasName("xxxxx")
}
<\/code><\/pre>
3. 常用规则模板<\/h3>
方法参数作为source<\/h4>
override predicate isSource(DataFlow::Node source) {
  exists(Parameter p | 
    p.getCallable().hasName("readValue") and
    source.asParameter() = p and
    source.asParameter().getPosition() = 0 and
    p.getCallable().getDeclaringType().hasQualifiedName("com.service.impl", "xxxxx")
  )
}
<\/code><\/pre>
实例参数作为source<\/h4>
override predicate isSource(DataFlow::Node source) {
  exists(ClassInstanceExpr ma |
    source.asExpr() = ma.getAnArgument() and
    ma.getTypeName().toString() = "X1" and
    ma.getCaller().hasName("Caller")
  )
}
<\/code><\/pre>
4. 调用路径追踪<\/h3>
import java

class StartMethod extends Method {
  StartMethod() { getName() = "main" }
}

class TargetMethod extends Method {
  TargetMethod() { getName() = "vulMain" }
}

query predicate edges(Method a, Method b) { a.calls(b) }

from TargetMethod end, StartMethod entryPoint
where edges+(entryPoint, end)
select end, entryPoint, end, "Found a path from start to target."
<\/code><\/pre>
5. 接口实现检测<\/h3>
class JsonInterface extends Interface {
  JsonInterface() {
    this.hasQualifiedName("com.alibaba.fastjson", "JSONStreamAware")
  }
  
  Method getJsonMethod() {
    result.getDeclaringType() = this
  }
}

class CMethod extends Method {
  CMethod() {
    this.overridesOrInstantiates*(any(JsonInterface i).getJsonMethod())
  }
}

from CMethod m select m, m.getDeclaringType()
<\/code><\/pre>
三、查询结果处理<\/h2>
1. 查询类型与元数据<\/h3>


普通查询<\/strong>:<\/p>

元数据: @kind problem<\/code><\/li>
格式: select element, string<\/code><\/li>
禁止导入PathGraph相关<\/li>
<\/ul>
<\/li>

路径查询<\/strong>:<\/p>

元数据: @kind path-problem<\/code><\/li>
格式: select element, source, sink, string<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2. 常见错误处理<\/h3>
错误示例:<\/p>
Showing raw results instead of interpreted ones due to an error...
Expected result pattern(s) are not present for problem query...
<\/code><\/pre>
解决方案:<\/p>

确保查询类型与元数据匹配<\/li>
检查select语句格式是否正确<\/li>
避免在普通查询中使用PathGraph导入<\/li>
<\/ul>
四、数据流中断处理(AdditionalTaintStep)<\/h2>
1. Getter\/Setter处理<\/h3>
class GetSetTaintStep extends TaintTracking::AdditionalTaintStep {
  override predicate step(DataFlow::Node src, DataFlow::Node sink) {
    exists(MethodAccess ma |
      (ma.getMethod() instanceof GetterMethod or
       ma.getMethod() instanceof SetterMethod or
       ma.getMethod().getName().matches("get%") or
       ma.getMethod().getName().matches("set%")) and
      src.asExpr() = ma.getQualifier() and
      sink.asExpr() = ma
    )
  }
}
<\/code><\/pre>
2. MyBatis Mapper处理<\/h3>
class MapperTaintStep extends TaintTracking::AdditionalTaintStep {
  override predicate step(DataFlow::Node src, DataFlow::Node sink) {
    exists(MethodAccess ma |
      (ma.getQualifier().getType().getName().matches("%Dao") or
       ma.getQualifier().getType().getName().matches("%Mapper")) and
      src.asExpr() = ma.getAnArgument() and
      sink.asExpr() = ma
    )
  }
}
<\/code><\/pre>
3. 方法参数污染传播<\/h3>
class SrcTaintStep extends TaintTracking::AdditionalTaintStep {
  override predicate step(DataFlow::Node src, DataFlow::Node sink) {
    exists(MethodAccess ma |
      (ma.getMethod() instanceof SetterMethod or
       ma.getMethod().getName().matches("set%")) and
      src.asExpr() = ma.getAnArgument() and
      sink.asExpr() = ma.getQualifier()
    )
  }
}
<\/code><\/pre>
4. 实例化对象处理<\/h3>
class InstanceTaintStep extends TaintTracking::AdditionalTaintStep {
  override predicate step(DataFlow::Node src, DataFlow::Node sink) {
    exists(ClassInstanceExpr cie |
      \/\/ cie.getTypeName().toString() = "UploadFile" \/\/ 可添加特定类型过滤
      src.asExpr() = cie.getAnArgument() and
      sink.asExpr() = cie
    )
  }
}
<\/code><\/pre>
五、部分流分析(Partial Flow)<\/h2>
1. 基本使用<\/h3>
import DataFlow::PartialPathGraph

class MyTaintTrackingConfiguration extends TaintTracking::Configuration {
  override int explorationLimit() { result = 5 }
}

from MyTaintTrackingConfiguration conf, 
     DataFlow::PartialPathNode source, 
     DataFlow::PartialPathNode sink
where conf.hasPartialFlow(source, sink, _)
select sink, source, sink, "Partial flow from unsanitized user data"
<\/code><\/pre>
2. 调试技巧<\/h3>

分段检查<\/strong>: 将长调用链分成小段检查<\/li>
精确source<\/strong>: 使用确定的单个source减少输出<\/li>
使用sanitizer<\/strong>: 清洗掉无关数据<\/li>
<\/ol>
六、路径注入检测实战<\/h2>
1. 官方规则分析<\/h3>

Source<\/strong>: 使用RemoteFlowSource<\/code>(常见用户输入源)<\/li>
Sink<\/strong>: 文件操作方法的文件名参数
override predicate isSink(DataFlow::Node sink) {
  exists(Expr e | 
    e = sink.asExpr() | 
    e = any(PathCreation p).getAnInput() and 
    not guarded(e)
  )
}
<\/code><\/pre>
<\/li>
<\/ul>
2. Guarded谓词分析<\/h3>
private predicate guarded(Expr e) {
  exists(ConditionBlock cb, Expr c |
    exists(PathCreation p | e = p.getAnInput()) and
    cb.getCondition().getAChildExpr*() = c and
    c = e.getVariable().getAnAccess() and
    cb.controls(e.getBasicBlock(), true) and
    not inWeakCheck(c)
  )
}
<\/code><\/pre>
3. 清洗条件<\/h3>
override predicate isSanitizer(DataFlow::Node node) {
  exists(Type t | t = node.getType() | 
    t instanceof BoxedType or 
    t instanceof PrimitiveType
  )
}

override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
  guard instanceof ContainsDotDotSanitizer
}
<\/code><\/pre>
4. 真实场景应用<\/h3>
class TaintedPathConfig extends TaintTracking::Configuration {
  TaintedPathConfig() { this = "TaintedPathConfig" }
  
  override predicate isSource(DataFlow::Node source) {
    exists(Method m, Parameter p |
      m.getAnAnnotation().getType().hasQualifiedName(
        "org.springframework.web.bind.annotation", "RequestMapping") and
      m.hasAnnotation() and
      m.getAParameter() = p and
      source.asParameter() = p and
      p.getType().hasName("HttpServletRequest")
    )
  }
  
  override predicate isSink(DataFlow::Node sink) {
    exists(Method m, Parameter p |
      m.hasName("uploadFile") and
      m.getDeclaringType().hasQualifiedName(
        "org.xxxx.core.common.dao.impl", "xxxxx") and
      m.getAParameter() = p and
      sink.asParameter() = p and
      p.getType().hasName("UploadFile")
    )
  }
}
<\/code><\/pre>
七、最佳实践总结<\/h2>


性能优化<\/strong>:<\/p>

尽量缩小查询范围<\/li>
添加具体的限定条件<\/li>
<\/ul>
<\/li>

数据流处理<\/strong>:<\/p>

识别常见中断场景<\/li>
合理使用AdditionalTaintStep<\/li>
掌握Partial Flow调试技巧<\/li>
<\/ul>
<\/li>

规则编写<\/strong>:<\/p>

区分普通查询和路径查询<\/li>
正确处理元数据<\/li>
结合实际业务场景定制规则<\/li>
<\/ul>
<\/li>

安全检测<\/strong>:<\/p>

理解官方规则设计思路<\/li>
根据实际项目调整source\/sink定义<\/li>
合理设置sanitizer减少误报<\/li>
<\/ul>
<\/li>
<\/ol>