Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Golang] Additional Taint Step hidden in PathGraph Visualisation#20596

Answeredbysmowton
KseniiaSmirn0va asked this question inQ&A
Discussion options

Hello,
I added a taint step by extendingTaintTracking::AdditionalTaintStep in golang. Now codeql builds the path with this step correctly, but I don't see the step itself in thealerts section, version2.21.0.

Here is a simplified code snippet for my query, which works like a charm:

// url comes already taintedfunc GetImageInfo(url string) (int32, int32, error) {...req, err := http.NewRequest(http.MethodGet, url, nil)       // my taint step: taint from url to the req variablereq = req.WithContext(extmon.MethodNameToCtx(req.Context(), "Get"))var resp *http.Responseresp, err = transport.RoundTrip(req)      // RoundTrip() is sink...}

The problem is, when I click through the steps in thealerts section, the only two steps for this function I see are:
func GetImageWH(url string) (int32, int32, error) { -definition of url
resp, err = transport.RoundTrip(req) -req

  1. How to make my customised taint step visible in the path?
  2. And when it becomes visible, I'd like to name the taint step asNewRequestStep in the graph visualisation, instead ofdefinition of url. How can I customise this if possible?

I need to explicitly reflect in the query results that my taint step contributed to the flow, for my internal SAST metrics/statistics.

Thanks for taking time with this!

You must be logged in to vote

You could try in your data-flow configuration specifyingpredicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

The names printed in the path explanation refer to nodes, not edges, but you could try something likeclass CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

Replies: 2 comments 5 replies

Comment options

You could try in your data-flow configuration specifyingpredicate neverSkip(Node node) -- by default, the edges relation that populates the user-facing graph will skip nodes unless they are join points (have multiple predecessors) or are interprocedural edges.

The names printed in the path explanation refer to nodes, not edges, but you could try something likeclass CustomNamedNode extends DataFlow::Node { ... CustomNamedNode() { ... characterise your node ... } ... override string toString() { ... stringify your node ... }, and ensure your custom node definition is in scope in the context of whatever query produces your path explanation.

You must be logged in to vote
3 replies
@KseniiaSmirn0va
Comment options

Thank you so much! That helps a lot.

@KseniiaSmirn0va
Comment options

@smowton Hello,
Now I'm trying to do the same for Csharp, but Csharp DataFlow::Node has thefinal annotation so I can't override it:
final string toString() { result = this.(NodeImpl).toStringImpl() }.

Is there any way to solve it out?

@smowton
Comment options

Hmm, well you could wrap the types involved in the PathGraph'snodes,edges,subpaths relations? Removeimport SomeFlow::PathGraph and instead do something like...

stringcustomToString(PathNoden){ ...your customstringification here ...}newtypeTMyPathNode=TWrapPathNode(PathNodepn)classMyPathNodeextendsTMyPathNode{PathNodepn;MyPathNode(){this=TWrapPathNode(pn)}stringtoString(){result=customToString(pn)ornotexists(customToString(pn))andresult=pn.toString()}PathNodegetPathNode(){result=pn}}querypredicatenodes(MyPathNodempn){  SomeFlow::PathGraph::nodes(mpn.getPathNode())}querypredicateedges(MyPathNodempn1,MyPathNodempn2){  SomeFlow::PathGraph::edges(mpn1.getPathNode(),mpn2.getPathNode())}querypredicatesubpaths(...)// similar
Answer selected byKseniiaSmirn0va
Comment options

We already make sure that we never skip over steps coming from function models for any configuration. We could do additional taint steps too.

There are edge labels for some edges, e.g. those coming from function models or from additional flow steps specified in the flow configuration. For steps coming fromTaintTracking::AdditionalTaintStep the label is "AdditionalTaintStep". We could make that customizable when you define the additional taint step.

Would either of these be helpful,@KseniiaSmirn0va ? Or has@smowton's suggestions already solved your problem?

You must be logged in to vote
2 replies
@KseniiaSmirn0va
Comment options

Thank you,@owen-mc, for the suggestion! Did you mean a new patch is coming out for the feature I need?
Actually, I've solved out the matter with@smowton's suggestion

@owen-mc
Comment options

Glad to hear your problem is solved. In that case I will not implement the more general solution that I suggested.

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
Q&A
Labels
None yet
3 participants
@KseniiaSmirn0va@smowton@owen-mc
[8]ページ先頭
©2009-2025 Movatter.jp