96 lines
4.4 KiB
Plaintext
96 lines
4.4 KiB
Plaintext
/**
|
|
* @name Input Validation Scanner - CodeQL Ruleset
|
|
* @description This ruleset contains queries that identify potential input validation vulnerabilities.
|
|
* @kind meta-ruleset
|
|
* @id input-validation-scanner
|
|
*/
|
|
|
|
import javascript
|
|
import python
|
|
import go
|
|
import csharp
|
|
import java
|
|
import cpp
|
|
|
|
/**
|
|
* General Input Validation Checks
|
|
*/
|
|
|
|
// Untrusted data used in SQL queries (SQL Injection)
|
|
from SqlInjectionQuery q
|
|
select q, "Potential SQL Injection vulnerability: Untrusted data used in SQL query."
|
|
|
|
// Untrusted data used in OS commands (Command Injection)
|
|
from CommandInjectionQuery q
|
|
select q, "Potential Command Injection vulnerability: Untrusted data used in OS command."
|
|
|
|
// Untrusted data used in XPath queries (XPath Injection) - Requires XPath support in language
|
|
// from XPathInjectionQuery q
|
|
// select q, "Potential XPath Injection vulnerability: Untrusted data used in XPath query."
|
|
|
|
// Cross-Site Scripting (XSS) - Requires framework-specific queries for best results
|
|
// Placeholder: Add XSS queries here, potentially framework-specific (e.g., React, Angular, Vue)
|
|
|
|
/**
|
|
* Language-Specific Input Validation Checks
|
|
*/
|
|
|
|
// JavaScript/TypeScript examples
|
|
from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
|
where cfg.hasFlowPath(source, sink) and
|
|
source.asExpr().(CallExpr).getCalleeName() = "eval" and //Example: Detect use of eval with untrusted input. This is just an example, adjust as needed.
|
|
sink.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*[<>&\"'].*") and // Example: Simple check for HTML characters in the eval input. This is just an example, adjust as needed.
|
|
source.asExpr().(CallExpr).getArgument(0).toString().regexpMatch(".*userInput.*") // Example: Check if the eval input uses a variable named "userInput". This is just an example, adjust as needed.
|
|
select path, "Potential JavaScript eval with untrusted input."
|
|
|
|
// Python examples
|
|
// Placeholder: Add Python-specific input validation queries here, focusing on common vulnerabilities. Example: OS Command Injection through format strings.
|
|
|
|
// Go examples
|
|
// Placeholder: Add Go-specific input validation queries here, focusing on common vulnerabilities. Example: Path Traversal.
|
|
|
|
// C# examples
|
|
// Placeholder: Add C#-specific input validation queries here, focusing on common vulnerabilities. Example: LDAP Injection.
|
|
|
|
// Java examples
|
|
// Placeholder: Add Java-specific input validation queries here, focusing on common vulnerabilities. Example: Deserialization vulnerabilities.
|
|
|
|
// C/C++ examples
|
|
// Placeholder: Add C/C++-specific input validation queries here, focusing on common vulnerabilities. Example: Buffer overflows.
|
|
|
|
/**
|
|
* Custom Input Validation Checks
|
|
*
|
|
* Placeholder: Add custom queries tailored to the specific application or framework.
|
|
* These queries should focus on identifying missing or inadequate input validation routines.
|
|
*/
|
|
|
|
// Example: Check for missing length validation on a specific input field.
|
|
// from DataFlow::PathGraph<DataFlow::Node, DataFlow::Node> path, DataFlow::Configuration cfg, DataFlow::Node source, DataFlow::Node sink
|
|
// where cfg.hasFlowPath(source, sink) and
|
|
// source.asExpr().(VariableAccess).getTarget().getName() = "userInput" and // Replace "userInput" with the actual input field name
|
|
// sink.asExpr().(CallExpr).getCalleeName() = "processData" and // Replace "processData" with the function that processes the input
|
|
// not exists(CallExpr call | call.getCalleeName() = "validateLength" and call.getArgument(0) = source.asExpr()) // Check for missing length validation
|
|
// select path, "Missing length validation for input field 'userInput'."
|
|
|
|
/**
|
|
* Helper Queries (Optional)
|
|
*
|
|
* Placeholder: Add helper queries that can be used by other queries in this ruleset.
|
|
* These can simplify the main queries and improve code reuse.
|
|
*/
|
|
|
|
/**
|
|
* Configuration
|
|
*
|
|
* Placeholder: Add any necessary configuration options for the queries in this ruleset.
|
|
* This might include specifying trusted sources, sanitization functions, or regular expressions.
|
|
*/
|
|
|
|
/**
|
|
* Considerations
|
|
*
|
|
* - This ruleset is a starting point and should be customized to the specific application and its security requirements.
|
|
* - Regularly update the ruleset to address new vulnerabilities and attack vectors.
|
|
* - Review the results carefully and prioritize remediation based on the severity of the vulnerability and the likelihood of exploitation.
|
|
*/ |