Help with the query to find source and sink

[akanksha1131]

I am new to CodeQL, and I am getting errors that in this query to find source and sink pair. Any insight or help will be appreciated!

Query:

import java
import semmle.code.java.dataflow.TaintTracking

// Define a comprehensive source of user-controlled input
class Source extends TaintTracking::Source {
  Source() {
    this = any() and
    (
      // Match @RequestParam for user inputs
      exists(RequestMapping request |
        request.hasName("realName") or request.hasName("blabName") or
        request.hasName("username") or request.hasName("file") or
        request.hasName("command") or request.hasName("blabberUsername") or
        request.hasName("password") or request.hasName("remember") or
        request.hasName("target")
      ) or
      // Detect typical HttpServletRequest methods that obtain user input
      exists(MethodAccess access |
        access.getMethod().getDeclaringType().getName() = "javax.servlet.http.HttpServletRequest" and
        (
          access.getMethod().hasName("getParameter") or
          access.getMethod().hasName("getHeader") or
          access.getMethod().hasName("getCookies")
        )
      ) or
      // Methods involved in command execution
      exists(MethodAccess cmdClassAccess |
        cmdClassAccess.getMethod().getName() = "forName" or
        cmdClassAccess.getMethod().getName() = "newInstance"
      ) or
      // Direct user input from HttpServletRequest, HttpServletResponse, Model, etc.
      exists(MethodAccess requestMapping |
        requestMapping.getMethod().getName() = "processLogin" or
        requestMapping.getMethod().getName() = "showPasswordHint" or
        requestMapping.getMethod().getName() = "processRegister"
      ) or
      // Other user-provided values, such as in ToolsController
      exists(MethodAccess cmdLineAccess |
        cmdLineAccess.getMethod().getName() = "exec"
      )
    )
  }

  override predicate isSource(DataFlow::Node node) {
    node.asExpr() = this
  }
}

// Define comprehensive sinks where unvalidated data could lead to vulnerabilities
class Sink extends TaintTracking::Sink {
  Sink() {
    this = any() and
    (
      // Unsafe file handling with user-controlled paths
      exists(MethodAccess fileAccess |
        fileAccess.getMethod().getDeclaringType().getName() = "java.io.File" and
        (
          fileAccess.getMethod().hasName("renameTo") or
          fileAccess.getMethod().hasName("new File")
        )
      ) or
      // SQL operations with unvalidated input
      exists(MethodAccess sqlMethod |
        sqlMethod.getMethod().getDeclaringType().getName() = "java.sql.Statement" and
        (
          sqlMethod.getMethod().hasName("executeQuery") or
          sqlMethod.getMethod().hasName("executeUpdate") or
          sqlMethod.getMethod().hasName("execute")
        )
      ) or
      // SQL queries with String concatenation involving user input
      exists(BinaryExpr concatExpr |
        concatExpr.getOperator() = "+" and (
          concatExpr.getLeftOperand() instanceof Literal or 
          concatExpr.getRightOperand() instanceof Literal
        )
      ) or
      // Command execution using unvalidated user input
      exists(MethodAccess cmdExec |
        cmdExec.getMethod().getName() = "exec" or
        cmdExec.getMethod().getName() = "start"
      ) or
      // Usage of ObjectInputStream on user-provided input
      exists(MethodAccess objectStreamAccess |
        objectStreamAccess.getMethod().getDeclaringType().getName() = "java.io.ObjectInputStream" and
        objectStreamAccess.getMethod().hasName("readObject")
      ) or
      // Format string vulnerabilities using untrusted data in String.format
      exists(MethodAccess formatAccess |
        formatAccess.getMethod().getName() = "format"
      )
    )
  }

  override predicate isSink(DataFlow::Node node) {
    node.asExpr() = this
  }
}

// Query to retrieve the source and sink, including method details
from Source src, Sink snk, Method srcMethod, Method snkMethod
where 
  srcMethod = src.getEnclosingCallable() and
  snkMethod = snk.getEnclosingCallable()
select 
  srcMethod.getDeclaringType().getName() + "." + srcMethod.getName(),  // Name of the source method
  srcMethod.getBody(),  // Source method body
  srcMethod,  // Full source method declaration
  snkMethod.getDeclaringType().getName() + "." + snkMethod.getName(),  // Name of the sink method
  snkMethod.getBody(),  // Sink method body
  snkMethod  // Full sink method declaration

[intrigus-lgtm]

Let me guess, your code is AI/LLM generated?

[smowton]

There is no TaintTracking::Source or ::Sink. It looks like you want to create a path query, like https://codeql.github.com/docs/writing-codeql-queries/creating-path-queries/ ? To do this you would typically describe a Source that extends DataFlow::Node and identify relevant nodes, quite similar to what you're already doing, and then use Flow::flowPath as noted in the linked article to establish whether the source and sink are connected.

There is also no CodeQL class RequestMapping -- perhaps you want to look for methods that are annotated with Spring's @RequestParam annotation?

The other significant problem is that your definitions of Source and Sink use this = any() and (which says that this is completely unrestricted except for the class' extends clause) and then go on to check whether particular MethodAccess instances exist, but not whether they are related to this, the particular Source or Sink instance concerned. Instead a typical definition should look like:

class Source extends DataFlow::Node {
  Source() {
    exists(MethodAccess access | access.getCallee().hasQualifiedName("javax.servlet.http", "HttpServletRequest", "getParameter") | this = access.asExpr())
  }
}

Note that this is related to the interesting method access (getParameter), and that hasQualifiedName not getName is used to check for a fully-qualified name.

[akanksha1131]

Thanks a ton! @smowton