[Java] Find lookup interface

[zxcv0221]

Hello, I recently read the analysis of fastjson using chain article, sink is can achieve jndi injection function - lookup (), but this sink point I can not query out, I would like to ask whether CodeQL can query out the built-in method of rt.jar? Or what do I need to do to make my rules query the methods in the JDK source code? This is my query rule.

class JNDIMethod extends Method{
    JNDIMethod(){
        this.getDeclaringType().getASupertype*().hasQualifiedName("javax.naming", "Context") and
        this.hasName("lookup")
    }
}

This is the full query for the file I executed, There is no error, but the result is empty.

import java
import semmle.code.java.dataflow.FlowSources
import semmle.code.java.dataflow.TaintTracking
import DataFlow::PathGraph

class JNDIMethod extends Method{
    JNDIMethod(){
        this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.naming", "Context") and
        this.hasName("lookup")
    }
}

class MyTaintTrackingConfiguration extends TaintTracking::Configuration {
  MyTaintTrackingConfiguration() { this = "MyTaintTrackingConfiguration" }

  override predicate isSource(DataFlow::Node source) {
    exists(FieldAccess field|
    source.asExpr() = field
    )
  }

  override predicate isSink(DataFlow::Node sink) {
    exists(MethodAccess call |
    call.getMethod() instanceof JNDIMethod and sink.asExpr() = call.getArgument(0)
    )
  }
}


from  MyTaintTrackingConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
where config.hasFlowPath(source, sink)
select source.getNode(), source, sink, sink.getNode()

[MathiasVP]

Hi @zxcv0221,

A couple of things spring to mind when I see your query:

• You're missing the relevant query meta-data for a path-problem query. See this page for more info. In particular:
  1. You need to add the @kind path-problem metadata to the query. This tells CodeQL that it needs to render a path as part of the query result.
  2. Your select clause in at the bottom of the query is incorrect. See here for what it should look like. In particular, your select clause must be of the form select element, source, sink, string, but your select clause is currently select element, source, sink, element. I suggest you replace the last line with:

  select source.getNode(), source, sink, "CodeQL found a data-flow path from source to sink!"

  (or something slightly more helpful 😅.)

Next up, you should read up on how to debug missing dataflow results here. Before you dive deep into that document, please try the first suggestion in that document:

Initially, you should make sure that the source and sink definitions contain what you expect. If either the source or sink is empty then there can never be any data flow. The easiest way to check this is using quick evaluation in CodeQL for VS Code. Select the text node instanceof MySource, right-click, and choose “CodeQL: Quick Evaluation”. This will evaluate the highlighted text, which in this case means the set of sources. [...]

In your example, you can right-click on the isSource predicate and choose “CodeQL: Quick Evaluation”. This will show you all the places that your query will select as a source. Are the results here what you expect? Similarly: You can right-click on the isSink predicate and use "CodeQL: Quick Evaluation" to inspect whether the set of sinks are what you expect.

[zxcv0221]

Thank u for answering my question. As you said, I changed my code and looked at your suggestion. I right-clicked the isSource predicate in VS code and selected "CodeQL: Quick Evaluation" and this is what happened

isSource should be fine. However, when I try it on isSink with the same operation, no results show here.

I'm sorry, I just learned CodeQL, so I'm a little bad at writing the rules. My goal is to find lookup (), where the stain converges, so that I can clearly find the utilization chain of fastjson.
Can you teach me how to use CodeQL to achieve this? Because of the lack of relevant information on the Internet, this problem has been bothering me for 5 days. Thank you again!😊

[MathiasVP]

Alright, so far so good. We know we have some relevant sources. So let's dig into why we don't have any sinks. First thing first: I noticed that you changed your definition of isSink in between these two posts? The first isSink certainly seems more correct than the one in the screenshot (I don't think that last query will actually compile since sink.asExpr() is a predicate with an Expr return type that you're not using?)

So I think you should go back to your earlier definition of isSink:

override predicate isSink(DataFlow::Node sink) {
  exists(MethodAccess call |
  call.getMethod() instanceof JNDIMethod and sink.asExpr() = call.getArgument(0)
  )
}

Then you can quick-eval parts of that definition. For example, what do you get if you highlight the call.getMethod() instanceof JNDIMethod part of the predicate and right-click and choose “CodeQL: Quick Evaluation”? If there's no results for this, the next thing you can try is to right-click on the JNDIMethod class and quick-eval that class to see if there are any JNDIMethods present in your database.

[zxcv0221]

😃I am very sorry, maybe it is a problem with my screen window, causing the content behind sink.asExpr () not intercepted, let you misunderstand. In fact, my isSink is not modified.

Next, when I select the call.getMethod () instanceof JNDIMethod section, right click and select "CodeQL: QuickEvaluation," there is no result, my screen shot of the result of execution is this.

In the end I tried the steps you said, executing JNDIMethod, but there was still no result here.

I was wondering if it could be a problem with my generating the ql database. Allow me to provide you with my environmental address:

• https://github.com/l4yn3/micro_service_seclab
• https://github.com/safe6Sec/ShiroAndFastJson

My command to generate the database is

codeql database create D:\CodeQL\databases\seclab  --language="java"  --command="mvn clean install --file pom.xml" --source-root=D:\Demo\Java\micro_service_seclab

Prior to that, my SQL injection rules had been executed and successfully returned query results. So I guess it's because my rules can't query the lookup interface. The purpose of the help is to know how to query this interface.

[MathiasVP]

Thanks for all the details 🙂. So it looks like the lookup method on javax.naming.Context isn't included the database. That's why JNDIMethod doesn't have any results when you quick-eval it's "characteristic predicate" (i.e., the thing in the JNDIMethod class that looks like a constructor). So call.getMethod() instanceof JNDIMethod will never be satisfied. Can you point me to the line in https://github.com/l4yn3/micro_service_seclab that you tried to capture with your definition of isSink (i.e., the call to lookup on an object of type javax.naming.Context)?

[zxcv0221]

Yes, I understand my mistake, this lookup method is indeed not included in this database, today I discussed this problem with my friends only to find that CodeQL can not directly track the contents of third-party jar packages. I'm sorry for my stupid question.
What I'm actually trying to achieve is to go from com.l4yn3.microserviceseclab.controller.FastJsonController#Json.parseObject() Data flow to the call to javax. naming. Context. lookup ().

[MathiasVP]

So I assume this is the source you're taking about: https://github.com/l4yn3/micro_service_seclab/blob/main/src/main/java/com/l4yn3/microserviceseclab/controller/FastJsonController.java#L17, right? And where is the call to lookup?

[zxcv0221]

I think I understand. I should be wanting to analyze the contents of the closed source jar package. I found this project: https://github.com/waderwu/extractor-java , I was looking in the wrong direction before and this project solved my confusion.

Thank u so much for answering my questions.

[MathiasVP]

Indeed, CodeQL does not extract the source code of a dependency (JDK in this case), since the bytecode is not extracted. I'm happy you found a solution, though 🙂.