CodeQL for research at scale
💻

CodeQL for research at scale

Edited
Sep 15, 2025 2:01 PM
Tags
pwnctfprogrammingweb

Intro

I decided to get back into more hardcore security research, and try to augment it with AI. After some research, I think learning CodeQL and then enhancing it with AI support might yield good results. Thus, this post will go over my learning process for it. These are just notes, and might not make sense, so feel free to reach out to me if you have questions that I might be able to answer.

Test Case

func UploadEnigma(c *fiber.Ctx) error {

	user := c.Locals("user")
	if user == nil {
		return utils.ErrorResponse(c, "User not found", http.StatusForbidden)
	}

	userStruct, ok := user.(User)
	if !ok {
		return c.SendStatus(http.StatusInternalServerError)
	}

	file, err := c.FormFile("archive")
	if err != nil {
		return err
	}

	filename := uuid.New().String() + filepath.Ext(file.Filename)

	tempFile := filepath.Join("./uploads", filename)
	if err := c.SaveFile(file, filepath.Join("./uploads", filename)); err != nil {
		return utils.ErrorResponse(c, "Error saving file", http.StatusInternalServerError)
	}

	userFolder := filepath.Join("./files", userStruct.Username)
	if _, err := os.Stat(userFolder); os.IsNotExist(err) {
		if err := os.MkdirAll(userFolder, 0755); err != nil {
			log.Fatal(err)
		}
	}

	err = archiver.Unarchive(tempFile, userFolder)

	if err != nil {
		return err
	}

	return utils.MessageResponse(c, "Archive uploaded and extracted successfully", http.StatusAccepted)
}
Code for submitting user controlled data to the application
package services

import (
	"Desires/utils"
	"bytes"
	"crypto/sha256"
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"os"
	"path/filepath"
	"strconv"
	"strings"
	"time"

	"github.com/google/uuid"

	"github.com/gofiber/fiber/v2"
	"github.com/mholt/archiver/v3"
)
Imported packages
import go

from Function f
select f, f.getQualifiedNamed()
image
graph TD
    A["Input: c *fiber.Ctx"] --> B["c.FormFile('archive')"]
    B --> C["file, err := c.FormFile('archive')"]
    C --> D["c.SaveFile(file, filepath.Join('./uploads', filename))"]
image
image
image
image
image
Getting all function calls and their exact locations including start and end columns.
Getting all function calls and their exact locations including start and end columns.
import go
    
from Function function, DataFlow::CallExpr call, Expr src, string pkg, Expr sink
where
	pkg = "github.com/go-redis/redis/v8.Conn" and
	function.hasQualifiedName(pkg, "Set") and
	call = function.getACall().asExpr() and
	(
	sink = call.getArgument(1) or
	sink = call.getArgument(2) or
	sink = call.getArgument(3)
	) and
	TaintTracking::localTaint(DataFlow::exprNode(src), DataFlow::exprNode(sink))
select
	src,
	src.getLocation()
image