{"id":13844062,"url":"https://github.com/Firebasky/CodeqlLearn","last_synced_at":"2025-07-11T21:32:45.855Z","repository":{"id":43284868,"uuid":"443728357","full_name":"Firebasky/CodeqlLearn","owner":"Firebasky","description":"记录学习codeql的过程","archived":false,"fork":false,"pushed_at":"2023-06-09T09:09:25.000Z","size":146,"stargazers_count":347,"open_issues_count":1,"forks_count":52,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-08-05T17:40:46.155Z","etag":null,"topics":["codeql"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Firebasky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-01-02T09:37:04.000Z","updated_at":"2024-08-04T10:55:53.000Z","dependencies_parsed_at":"2024-02-08T20:59:18.617Z","dependency_job_id":"66dbd0bd-478b-46bb-aa36-49306b15a36b","html_url":"https://github.com/Firebasky/CodeqlLearn","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firebasky%2FCodeqlLearn","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firebasky%2FCodeqlLearn/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firebasky%2FCodeqlLearn/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Firebasky%2FCodeqlLearn/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Firebasky","download_url":"https://codeload.github.com/Firebasky/CodeqlLearn/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225763235,"owners_count":17520424,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codeql"],"created_at":"2024-08-04T17:02:33.832Z","updated_at":"2024-11-21T16:30:29.488Z","avatar_url":"https://github.com/Firebasky.png","language":null,"readme":"# CodeqlLearn\n\n\u003e在safe6sec师傅的基础上修改的，更加适合自己\n\n# AST\n\nhttps://www.jianshu.com/p/ff8ec920f5b9\n\nhttps://www.jianshu.com/p/4bd5dc13f35a\n\nhttps://www.jianshu.com/p/68fcbc154c2f\n\n# 学习过程\n\n自己学习codeql 看过的一些文章\n\n- [CodeQL从入门到放弃](https://www.freebuf.com/articles/web/283795.html)          :heavy_check_mark:\n- [codeQL入门](https://me.xxf.world/post/codeql-huan-jing-da-jian/)                  :heavy_check_mark:\n- [Codeql 入门2](https://mp.weixin.qq.com/s?__biz=Mzg5OTQ3NzA2MQ==\u0026mid=2247485016\u0026idx=1\u0026sn=983c23cd5cff4310ee233b21444815f4\u0026chksm=c053fd72f72474647ba9d70e23ba81196f01055550d6b8ead0eebb67df7dc7aac15cda6ae05b\u0026mpshare=1\u0026scene=23\u0026srcid=1229z6KsvgKYZRrPzIwGONPb\u0026sharer_sharetime=1640768952290\u0026sharer_shareid=33a823b10ae99f33a60db621d83241cb#rd)               :heavy_check_mark:\n- [CodeQL笔记](https://lfysec.top/2020/06/03/CodeQL%E7%AC%94%E8%AE%B0/)             :heavy_check_mark:\n- [代码分析引擎 CodeQL 初体验](https://paper.seebug.org/1078)      :heavy_check_mark:\n- [codeql学习笔记](https://zhuanlan.zhihu.com/p/354275826)      :heavy_check_mark:\n- [CodeQL学习——CodeQl数据流分析 - bamb00 - 博客园](https://www.cnblogs.com/goodhacker/p/13583650.html)      :heavy_check_mark:\n- [原创 |CodeQL与AST之间联系](https://mp.weixin.qq.com/s?__biz=MzI4Mzc0MTI0Mw==\u0026mid=2247493662\u0026idx=2\u0026sn=8cead6291bb8f3c130093e6006089b5d\u0026chksm=eb84b54adcf33c5c6ef57c685d221fda68e0cedba2a59b886f3079d4d50884b70689c31d43b8\u0026mpshare=1\u0026scene=23\u0026srcid=0501LyVqcDU5vQ7Izenx2oim\u0026sharer_sharetime=1651408304150\u0026sharer_shareid=d74249cca329fbfc7dc218e59f3897aa#rd)    :heavy_check_mark:\n- [使用静态代码检测微服务越权、未授权访问漏洞](https://mp.weixin.qq.com/s?__biz=MzA4NzA5OTYzNw==\u0026mid=2247484233\u0026idx=1\u0026sn=dec528945d54fe94c6492c3b774b5d81\u0026chksm=903fd2d3a7485bc569a3ea4bc9ea8d2837224389e8c6351c99c0aba815270e2c84f528cfa6ba\u0026mpshare=1\u0026scene=23\u0026srcid=07081Nc37ZXSTAMgk5b7cpG0\u0026sharer_sharetime=1657244441300\u0026sharer_shareid=33fdea7abe6be586e131951d667ccd06#rd)   :heavy_check_mark:\n- [微服务下用静态代码扫描越权漏洞](https://mp.weixin.qq.com/s/3rxGuOBsbD9ZZT8fihsyzg)  :heavy_check_mark:\n- [CodeQL for Golang Practise(3)](http://f4bb1t.com/post/2020/12/16/codeql-for-golang-practise3/)\n- [CodeQL静态代码扫描之实现关联接口、入参、和危险方法并自动化构造payload及抽象类探究](https://mp.weixin.qq.com/s/Rqo12z9mapwlj6wGHZ1zZA)\n- [Codeql分析Vulnerability-GoApp - FreeBuf网络安全行业门户](https://www.freebuf.com/articles/web/253491.html)\n- [codeql反序列化分析](https://github.com/githubsatelliteworkshops/codeql)\n- [[原创\\]58集团白盒代码审计系统建设实践2：深入理解SAST-业务安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com](https://bbs.pediy.com/thread-266995.htm#msg_header_h1_4)\n- [楼兰#CodeQL](https://mp.weixin.qq.com/mp/appmsgalbum?__biz=Mzg4ODU4ODYzOQ==\u0026action=getalbum\u0026album_id=1970201600723910658\u0026scene=173\u0026from_msgid=2247484983\u0026from_itemidx=1\u0026count=3\u0026nolastread=1#wechat_redirect)\n- [CodeQL学习笔记 | Gamous'Site](http://blog.gamous.cn/post/codeql/)\n- [language:go - Search - LGTM](https://lgtm.com/search?q=language%3Ago\u0026t=rules)\n- [CodeQL 和代码扫描简介 - GeekMasher 的博客](https://geekmasher.dev/posts/sast/codeql-introduction)\n- [CVE-2018-11776: 如何使用CodeQL发现5个 Apache Struts RCEs](https://mp.weixin.qq.com/s/LmOFGAhqAKiO8VDQW4vvLg)\n- [CodeQL静态代码扫描规则编写之RemoteFlowSource](https://mp.weixin.qq.com/s/jVZ3Op8FYBmiFAV3p0li3w)\n- [CodeQL静态代码扫描之抽象类探究](https://mp.weixin.qq.com/s/KQso2nvWx737smunUHwXag)\n- [Codeql规则编写入门](https://mp.weixin.qq.com/s/sAUSgRAohFlmzwSkkWjp9Q)\n- [About LGTM - Help - LGTM](https://lgtm.com/help/lgtm/about-lgtm)\n- [LGTM help \u0026 documentation](https://help.semmle.com/home/help/home.html)\n- [Capture the flag | GitHub Security Lab](https://securitylab.github.com/ctf/)\n- [分类: codeql - 食兔人的博客](https://blog.ycdxsb.cn/categories/research/codeql/)\n- [CodeQL - butter-fly](https://yourbutterfly.github.io/note-site/module/semmle-ql/codeql/)\n- [表达式](https://www.4hou.com/posts/lM11)\n- [mark/CodeQL-数据流在Java中的使用.md at master · haby0/mark](https://github.com/haby0/mark/blob/master/articles/2021/CodeQL-数据流在Java中的使用.md)\n- [github/securitylab: Resources related to GitHub Security Lab](https://github.com/github/securitylab)\n- [codeql挖掘React应用的XSS实践 | Image's blog](https://hexo.imagemlt.xyz/post/javascript-codeql-learning/)\n- [SummerSec/learning-codeql: CodeQL Java 全网最全的中文学习资料](https://github.com/SummerSec/learning-codeql)\n- [CodeQL query help for Go — CodeQL query help documentation](https://codeql.github.com/codeql-query-help/go/#)\n- [codeql使用指南_zzzzfeng的博客-CSDN博客_codeql使用](https://blog.csdn.net/haoren_xhf/article/details/115064677)\n- [Apache Dubbo：条条大路通RCE | GitHub 安全实验室](https://securitylab.github.com/research/apache-dubbo/)\n- [南大软件分析课程](https://space.bilibili.com/2919428?share_medium=iphone\u0026share_plat=ios\u0026share_session_id=6851D997-0AC6-4C67-B858-BD1E6258C548\u0026share_source=COPY\u0026share_tag=s_i\u0026timestamp=1639480132\u0026unique_k=8wQBAkV)\n- [各种语言危险sink](https://github.com/haby0/sec-note)\n\n# 环境搭建\n- [编译OpenJDK8并生成CodeQL数据库](https://blog.csdn.net/mole_exp/article/details/122330521)   :heavy_check_mark:   **对jdk进行ql用处多多。。**\n\n# 真实例子\n\n- [如何利用CodeQL挖掘CVE-2020-10199](https://www.anquanke.com/post/id/202987)   :heavy_check_mark:  **可以使用污点跟踪TaintTracking::Configuration 并且添加isAdditionalTaintStep**\n- [利用CodeQL分析并挖掘Log4j漏洞](https://mp.weixin.qq.com/s/JYco8DysQNszMohH6zJEGw)\n- [使用codeql 挖掘 ofcms](https://www.anquanke.com/post/id/203674)         :heavy_check_mark:\n- [使用codeql挖掘fastjson利用链](https://xz.aliyun.com/t/7482)          :heavy_check_mark:\n- [用codeql分析grafana最新任意文件读取]()      :heavy_check_mark:\n- [codeql学习——污点分析](https://xz.aliyun.com/t/7789)  :heavy_check_mark:\n- [CodeQL从0到1(内附Shiro检测demo)](https://www.anquanke.com/post/id/255721)    :heavy_check_mark:\n- [Codeql分析Vulnerability-GoApp](https://www.freebuf.com/articles/web/253491.html)         :heavy_check_mark: (go语言)\n- [如何用CodeQL数据流复现 apache kylin命令执行漏洞 - 先知社区](https://xz.aliyun.com/t/8240)  :heavy_check_mark:\n- [从Java反序列化漏洞题看CodeQL数据流](https://www.anquanke.com/post/id/256967)   :heavy_check_mark:\n- [CodeQL 学习小记](https://www.buaq.net/go-98696.html) :heavy_check_mark:\n- [使用codeql挖掘fastjson利用链](https://xz.aliyun.com/t/7482)     :heavy_check_mark:\n\n\n# 下载\n\n文档： https://codeql.github.com/docs/codeql-cli/    \n二进制：https://github.com/github/codeql-cli-binaries     \n现成项目：https://github.com/github/vscode-codeql-starter  \n\n数据库下载，在线查询，规则搜索：https://lgtm.com/\n\n\n# 生成数据库\n\n第一步、创建索引代码数据库。得有数据库才能开始查询。\n\n```\ncodeql database create \u003cdatabase\u003e --language=\u003clanguage-identifier\u003e\n```\n\n支持的语言及language对应关系如下\n\n\n| Language              | Identity   |\n| --------------------- | ---------- |\n| C/C++                 | cpp        |\n| C#                    | csharp     |\n| Go                    | go         |\n| Java                  | java       |\n| javascript/Typescript | javascript |\n| Python                | python     |\n| Ruby                  | Ruby       |\n\n\n\n1、生成代码扫描数据库(java)\n\n```\ncodeql database create D:\\codeqldb/javasec --language=java  --command=\"mvn clean install --file pom.xml -Dmaven.test.skip=true\" --source-root=./javasec\n```\n\n注：source-root 为源码路径，默认为当前目录,可不指定\n\n一些常用命令\n\n```\n 跳过测试，构建\n --command=\"mvn clean install --file pom.xml -Dmaven.test.skip=true\"\n 无论项目结果如何,构建从不失败\n --command=\"mvn -fn clean install --file pom.xml -Dmaven.test.skip=true\"\n```\n\n\n\n包含xml文件https://github.com/github/codeql/issues/3887\n\n\n\n```\ncodeql database init --source-root=\u003csrc\u003e --language java \u003cdb\u003e\ncodeql database trace-command --working-dir=\u003csrc\u003e \u003cdb\u003e \u003cjava command\u003e\ncodeql database index-files --language xml --include-extension .xml --working-dir=\u003csrc\u003e \u003cdb\u003e\ncodeql database finalize \u003cdb\u003e\n```\n\n将上面的命令拆分为如下4条命令，在index-files中将xml文件添加到CodeQL的数据库中CodeQL将XML文件包含到CodeQL数据库\n\n第二种方案是在codeql-cli/java/tools/pre-finalize.cmd文件中插入--include \"**/resources/**/*.xml\"\n\n\n\n2、更新数据库\n\n```\ncodeql database upgrade database/javasec\n```\n\n\n\n参考：https://help.semmle.com/lgtm-enterprise/admin/help/prepare-database-upload.html\n\n\n\n### 编译与非编译\n\n对于编译型语言来说，需要在创建索引数据库的时候增加编译的功能，主要是针对java，对于非编译性的语言来说，直接扫描吧\n\n对于go来说，可编译也可不编译\n\n\n\n## 基础查询\n\n### 过滤 Method\n\n#### 根据Method name查询\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\")\nselect method\n```\n\n把这个方法的`class` `name`也查出来\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\")\nselect method, method.getDeclaringType()\n```\n\n#### 根据Method name 和 interface name 查询\n\n比如我想查询`ContentTypeHandler` 的所有子类`toObject`方法\n\n```java\nimport java\n\nfrom Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getASupertype().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\")\nselect method\n```\n\n#### Call和Callable\n\nCallable表示可调用的方法或构造器的集合。   \n\nCall表示调用Callable的这个过程（方法调用，构造器调用等等）    \n\n\n过滤 方法调用\n\n### MethodAccess\n\n一般是先查`method`，与`MethodAccess.getMethod()` 进行比较。\n\n比如查`ContentTypeHandler` 的 `toObject()` 方法的调用。\n\n```java\nimport java\n\nfrom MethodAccess call, Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getASupertype().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\") and call.getMethod() = method\nselect call\n```\n\n上面这种查询方式不行，只能查到`JsonLibHandler` 这样显式定义的。\n\n怎么改进呢？\n\n也可以使用`getAnAncestor()` 或者`getASupertype()*`\n\n```java\nimport java\n\nfrom MethodAccess call, Method method\nwhere method.hasName(\"toObject\") and method.getDeclaringType().getAnAncestor().hasQualifiedName(\"org.apache.struts2.rest.handler\", \"ContentTypeHandler\") and call.getMethod() = method\nselect call\n```\n\n\n\n\n\n# 数据流跟踪\n\nLocal Data Flow分析SPEL\n\n本地数据流\n本地数据流是单个方法(一旦变量跳出该方法即为数据流断开)或可调用对象中的数据流。本地数据流通常比全局数据流更容易、更快、更精确。\n\n```\nimport java\nimport semmle.code.java.frameworks.spring.SpringController\nimport semmle.code.java.dataflow.TaintTracking\nfrom Call call,Callable parseExpression,SpringRequestMappingMethod route\nwhere\n    call.getCallee() = parseExpression and \n    parseExpression.getDeclaringType().hasQualifiedName(\"org.springframework.expression\", \"ExpressionParser\") and\n    parseExpression.hasName(\"parseExpression\") and \n   TaintTracking::localTaint(DataFlow::parameterNode(route.getARequestParameter()),DataFlow::exprNode(call.getArgument(0))) \nselect route.getARequestParameter(),call\n```\n\n\n\n全局数据流分析要继承`DataFlow::Configuration` 这个类，然后重载`isSource` 和`isSink` 方法\n\n```\nclass MyConfig extends DataFlow::Configuration {\n  MyConfig() { this = \"Myconfig\" }\n  override predicate isSource(DataFlow::Node source) {\n    ....\n    \n  }\n\n    override predicate isSink(DataFlow::Node sink) {\n    ....\n    \n  }\n}\n```\n\n\n\n# 污点跟踪\n\n\n\n全局污点跟踪分析要继承`TaintTracking::Configuration` 这个类，然后重载`isSource` 和`isSink` 方法\n\n```\nimport semmle.code.java.dataflow.TaintTracking\nimport java\n\nclass VulConfig extends TaintTracking::Configuration {\nVulConfig() { this = \"myConfig\" }\n\noverride predicate isSource(DataFlow::Node source) {\n\n}\n\noverride predicate isSink(DataFlow::Node sink) {\n\n}\n}\n\nfrom VulConfig config, DataFlow::PathNode source, DataFlow::PathNode sink\nwhere config.hasFlowPath(source, sink)\nselect sink.getNode(), source, sink, \"source are\"\n```\n\n\n\n# 白盒扫描\n\nql库集成了许多常见的安全漏洞，可以直接拿来扫描项目源码\n\nhttps://codeql.github.com/codeql-query-help/java/\n\n下面是写好的\n\n java\n1、zip slip（zip解压覆盖任意文件）\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql\n\n2、命令注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql\n\n3、cookie安全\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql\n\n4、XSS\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-079/XSS.ql\n\n5、依赖漏洞\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql\n\n6、反序列化\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql\n\n7、http头注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql\n\n8、url跳转\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql\n\n9、ldap注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql\n\n10、sql注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-089/SqlUnescaped.ql\n\n11、file权限\u0026目录注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql\n\n12、xml注入\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-611/XXE.ql\n\n13、SSL校验\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql\n\n14、弱加密\n\nhttps://github.com/github/codeql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql\n\n15、随机数种子可预测\n\nhttps://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql\n\n\ncodeql analyze命令可以执行单个ql文件，目录下所有ql文件，和查询suite(.qls)\n\n \n\n白盒扫描使用如下命令（执行所有漏洞类查询）\n\n```\ncodeql database analyze source_database_name qllib/java/ql/src/codeql-suites/java-security-extended.qls --format=csv --output=java-results.csv\n```\n\n如果是自己写可用于analyze的必须按规范写，包含元数据@kind,如下这种\n\n```\n/**\n * @name Incomplete regular expression for hostnames\n * @description Matching a URL or hostname against a regular expression that contains an unescaped\n *              dot as part of the hostname might match more hostnames than expected.\n * @kind path-problem\n * @problem.severity warning\n * @security-severity 7.8\n * @precision high\n * @id go/incomplete-hostname-regexp\n * @tags correctness\n *       security\n *       external/cwe/cwe-20\n */\n```\n\n# 文章推荐\n\n- https://github.com/SummerSec/learning-codeql\n- https://www.anquanke.com/post/id/203674\n- https://fynch3r.github.io/tags/CodeQL/\n- https://www.freebuf.com/articles/web/283795.html\n","funding_links":[],"categories":["Others","代码审计"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFirebasky%2FCodeqlLearn","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FFirebasky%2FCodeqlLearn","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FFirebasky%2FCodeqlLearn/lists"}