This repository is a practical lab focused on AppSec and SAST using CodeQL. The main goal is to detect command injection vulnerabilities using modern Taint Tracking techniques.
The lab analyzes a Java application (src/App.java) that takes user input through System.console().readLine() and passes it directly to Runtime.getRuntime().exec(). This creates a critical vulnerability where an attacker can execute arbitrary commands on the system.
src/: Contains the vulnerable Java source code.queries/: Custom CodeQL queries.find-exec.ql: Basic query to locate sinks.path-problem.ql: Advanced Taint Tracking query using the modern CodeQL API.
qlpack.yml: Configuration file for the CodeQL pack.
- CodeQL CLI installed and in your PATH.
- VS Code with the official CodeQL extension.
Run this command from the root directory to build the CodeQL database:
codeql database create db-java --language=java --source-root=./srcExecute the taint tracking query and generate the results in SARIF format:
codeql database analyze db-java queries/path-problem.ql --format=sarifv2.1.0 --output=results.sarifYou can open results.sarif in VS Code using a SARIF viewer or use the CodeQL extension to run the queries interactively and see the full data flow paths from source to sink.
- Source: Untrusted user input via
readLine. - Sink: Dangerous execution function
exec. - Taint Tracking: Mapping how data flows from a source to a sink without proper sanitization.
- Modern API: Implementation using the
DataFlow::ConfigSigandTaintTracking::Globalmodules.