Intro

I decided to get back into more hardcore security research, and try to augment it with AI. After some research, I think learning CodeQL and then enhancing it with AI support might yield good results. Thus, this post will go over my learning process for it. These are just notes, and might not make sense, so feel free to reach out to me if you have questions that I might be able to answer.

Test Case

func UploadEnigma(c *fiber.Ctx) error {

	user := c.Locals("user")
	if user == nil {
		return utils.ErrorResponse(c, "User not found", http.StatusForbidden)
	}

	userStruct, ok := user.(User)
	if !ok {
		return c.SendStatus(http.StatusInternalServerError)
	}

	file, err := c.FormFile("archive")
	if err != nil {
		return err
	}

	filename := uuid.New().String() + filepath.Ext(file.Filename)

	tempFile := filepath.Join("./uploads", filename)
	if err := c.SaveFile(file, filepath.Join("./uploads", filename)); err != nil {
		return utils.ErrorResponse(c, "Error saving file", http.StatusInternalServerError)
	}

	userFolder := filepath.Join("./files", userStruct.Username)
	if _, err := os.Stat(userFolder); os.IsNotExist(err) {
		if err := os.MkdirAll(userFolder, 0755); err != nil {
			log.Fatal(err)
		}
	}

	err = archiver.Unarchive(tempFile, userFolder)

	if err != nil {
		return err
	}

	return utils.MessageResponse(c, "Archive uploaded and extracted successfully", http.StatusAccepted)
}

Code for submitting user controlled data to the application

package services

import (
	"Desires/utils"
	"bytes"
	"crypto/sha256"
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"time"

	"github.com/google/uuid"

	"github.com/gofiber/fiber/v2"
	"github.com/mholt/archiver/v3"
)

Imported packages

import go

from Function f
select f, f.getQualifiedNamed()

graph TD
    A["Input: c *fiber.Ctx"] --> B["c.FormFile('archive')"]
    B --> C["file, err := c.FormFile('archive')"]
    C --> D["c.SaveFile(file, filepath.Join('./uploads', filename))"]

Getting all function calls and their exact locations including start and end columns.

import go
    
from Function function, DataFlow::CallExpr call, Expr src, string pkg, Expr sink
where
	pkg = "github.com/go-redis/redis/v8.Conn" and
	function.hasQualifiedName(pkg, "Set") and
	call = function.getACall().asExpr() and
	(
	sink = call.getArgument(1) or
	sink = call.getArgument(2) or
	sink = call.getArgument(3)
	) and
	TaintTracking::localTaint(DataFlow::exprNode(src), DataFlow::exprNode(sink))
select
	src,
	src.getLocation()

CodeQL for research at scale

Intro

Test Case