/** * @name Input Validation Scanner - CodeQL Ruleset * @description This ruleset contains queries that identify potential input validation vulnerabilities. * @kind meta-ruleset * @id input-validation-scanner */ import javascript import python import go import csharp import java import cpp /** * General Input Validation Checks */ // Untrusted data used in SQL queries (SQL Injection) from SqlInjectionQuery q select q, "Potential SQL Injection vulnerability: Untrusted data used in SQL query." // Untrusted data used in OS commands (Command Injection) from CommandInjectionQuery q select q, "Potential Command Injection vulnerability: Untrusted data used in OS command." // Untrusted data used in XPath queries (XPath Injection) - Requires XPath support in language // from XPathInjectionQuery q // select q, "Potential XPath Injection vulnerability: Untrusted data used in XPath query." // Cross-Site Scripting (XSS) - Requires framework-specific queries for best results // Placeholder: Add XSS queries here, potentially framework-specific (e.g., React, Angular, Vue) /** * Language-Specific Input Validation Checks */ // JavaScript/TypeScript examples from DataFlow::PathGraph path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink where cfg.hasFlowPath(source, sink) and source.asExpr().(CallExpr).getCalleeName() = "eval" and //Example: Detect use of eval with untrusted input. This is just an example, adjust as needed. sink.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*[<>&\"'].*") and // Example: Simple check for HTML characters in the eval input. This is just an example, adjust as needed. source.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*userInput.*") // Example: Check if the eval input uses a variable named "userInput". This is just an example, adjust as needed. select path, "Potential JavaScript eval with untrusted input." // Python examples // Placeholder: Add Python-specific input validation queries here, focusing on common vulnerabilities. Example: OS Command Injection through format strings. // Go examples // Placeholder: Add Go-specific input validation queries here, focusing on common vulnerabilities. Example: Path Traversal. // C# examples // Placeholder: Add C#-specific input validation queries here, focusing on common vulnerabilities. Example: LDAP Injection. // Java examples // Placeholder: Add Java-specific input validation queries here, focusing on common vulnerabilities. Example: Deserialization vulnerabilities. // C/C++ examples // Placeholder: Add C/C++-specific input validation queries here, focusing on common vulnerabilities. Example: Buffer overflows. /** * Custom Input Validation Checks * * Placeholder: Add custom queries tailored to the specific application or framework. * These queries should focus on identifying missing or inadequate input validation routines. */ // Example: Check for missing length validation on a specific input field. // from DataFlow::PathGraph path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink // where cfg.hasFlowPath(source, sink) and // source.asExpr().(VariableAccess).getTarget().getName() = "userInput" and // Replace "userInput" with the actual input field name // sink.asExpr().(CallExpr).getCalleeName() = "processData" and // Replace "processData" with the function that processes the input // not exists(CallExpr call | call.getCalleeName() = "validateLength" and call.getArgument(0) = source.asExpr()) // Check for missing length validation // select path, "Missing length validation for input field 'userInput'." /** * Helper Queries (Optional) * * Placeholder: Add helper queries that can be used by other queries in this ruleset. * These can simplify the main queries and improve code reuse. */ /** * Configuration * * Placeholder: Add any necessary configuration options for the queries in this ruleset. * This might include specifying trusted sources, sanitization functions, or regular expressions. */ /** * Considerations * * - This ruleset is a starting point and should be customized to the specific application and its security requirements. * - Regularly update the ruleset to address new vulnerabilities and attack vectors. * - Review the results carefully and prioritize remediation based on the severity of the vulnerability and the likelihood of exploitation. */