Merge pull request #2 from advanced-security-demo/codeql-bundle-demo

Codeql bundle demo

Author: rvermeulen

.github/workflows/bundle.yaml

@@ -0,0 +1,27 @@
+name: Create Bundle
+on:
+  workflow_dispatch:
+
+jobs:
+  build-and-release:
+    runs-on: ubuntu-latest
+    name: Build and release bundle
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: CodeQL bundle
+        id: codeql-bundle
+        uses: advanced-security/codeql-bundle-action@add-support-for-qlx-compiled-queries
+        with:
+          packs: "advanced-security-demo/vapi-customizations"
+      - name: Bundle release
+        env:
+          BUNDLE_PATH: ${{ steps.codeql-bundle.outputs.bundle-path }}
+          BUNDLE_TAG: ${{ steps.codeql-bundle.outputs.bundle-tag }}
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          if gh release view $BUNDLE_TAG; then
+            gh release upload --clobber $BUNDLE_TAG $BUNDLE_PATH
+          else
+            gh release create $BUNDLE_TAG $BUNDLE_PATH --generate-notes
+          fi

.github/workflows/codeql.yaml

@@ -0,0 +1,32 @@
+name: "CodeQL"
+on:
+  workflow_dispatch:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: "Analyze"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Download custom bundle
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh release download --pattern 'codeql-bundle.tar.gz'
+
+      - name: CodeQL Initialize
+        uses: github/codeql-action/init@v2
+        with:
+          tools: codeql-bundle.tar.gz
+          queries: security-extended
+
+      - name: CodeQL Analyze
+        uses: github/codeql-action/analyze@v2

.github/workflows/vAPI-testing.yaml renamed to .github/workflows/vAPI-testing.yaml.disabled

@@ -0,0 +1,2 @@
+provide:
+  - "vapi-customizations/qlpack.yml"

codeql-workspace.yml

@@ -0,0 +1,68 @@
+import python
+private import semmle.python.ApiGraphs
+private import semmle.python.dataflow.new.RemoteFlowSources
+private import semmle.python.frameworks.internal.InstanceTaintStepsHelper
+
+module Connexion {
+  API::Node request() { result = API::moduleImport("connexion").getMember("request") }
+
+  private class ConnexionRequestSource extends RemoteFlowSource::Range {
+    ConnexionRequestSource() {
+      this = request().getAUse() and
+      not any(Import imp).contains(this.asExpr()) and
+      not exists(ControlFlowNode def | this.asVar().getSourceVariable().hasDefiningNode(def) |
+        any(Import imp).contains(def.getNode())
+      )
+    }
+
+    override string getSourceType() { result = "connexion.request" }
+  }
+
+  private class InstanceTaintSteps extends InstanceTaintStepsHelper {
+    InstanceTaintSteps() { this = "connexion.Request" }
+
+    override DataFlow::Node getInstance() { result = request().getAUse() }
+
+    override string getAttributeName() {
+      result in [
+          // str
+          "path", "full_path", "base_url", "url", "access_control_request_method",
+          "content_encoding", "content_md5", "content_type", "data", "method", "mimetype", "origin",
+          "query_string", "referrer", "remote_addr", "remote_user", "user_agent",
+          // dict
+          "environ", "cookies", "mimetype_params", "view_args",
+          // json
+          "json",
+          // List[str]
+          "access_route",
+          // file-like
+          "stream", "input_stream",
+          // MultiDict[str, str]
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.MultiDict
+          "args", "values", "form",
+          // MultiDict[str, FileStorage]
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.FileStorage
+          // TODO: FileStorage needs extra taint steps
+          "files",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.HeaderSet
+          "access_control_request_headers", "pragma",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Accept
+          // TODO: Kinda badly modeled for now -- has type List[Tuple[value, quality]], and some extra methods
+          "accept_charsets", "accept_encodings", "accept_languages", "accept_mimetypes",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Authorization
+          // TODO: dict subclass with extra attributes like `username` and `password`
+          "authorization",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.RequestCacheControl
+          // TODO: has attributes like `no_cache`, and `to_header` method (actually, many of these models do)
+          "cache_control",
+          // https://werkzeug.palletsprojects.com/en/1.0.x/datastructures/#werkzeug.datastructures.Headers
+          // TODO: dict-like with wsgiref.headers.Header compatibility methods
+          "headers"
+        ]
+    }
+
+    override string getMethodName() { result in ["get_data", "get_json"] }
+
+    override string getAsyncMethodName() { none() }
+  }
+}

vapi-customizations/advanced_security_demo/vapi_customizations/Customizations.qll

@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/python-all:
+    version: 0.4.1
+compiled: false
+lockVersion: 1.0.0

vapi-customizations/codeql-pack.lock.yml

@@ -0,0 +1,7 @@
+---
+library: true
+name: advanced-security-demo/vapi-customizations
+version: 0.0.1
+dependencies:
+  codeql/python-all: 0.4.1
+extractor: python