Code accompanying the Getting started with CodeQL blog post on the Tweag blog, modeling the sarge Python library. This repository is purposedly kept small, a more complete version of this code can be found at smelc/sarge-security-codeql.
You may also be interested in a variant of this repository that uses Java as the target programming language: tweag/java-security-codeql.
Download the CodeQL archive from its releases page
(this repository used codeql 2.20.0), and make sure the codeql binary is in your PATH. Then install
CodeQL's standard library and this repository as follows:
mkdir codeql-tutorial
cd codeql-tutorial
git clone https://github.com/github/codeql
git clone https://github.com/tweag/sarge-codeql-minimal
# At this point the "codeql" and "sarge-codeql-minimal" folders are siblings
cd sarge-codeql-minimalCreate the CodeQL database as follows:
./create-codeql-db.shThen run analyses as follows:
./run-codeql-analysis.shPrepare the environment as follows (to do only once):
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt -r dev-requirements.txtThen run the application in one terminal:
flask --debug runIn another terminal, trigger the vulnerability:
curl -X POST http://localhost:5000/ -d "key=ls"Now observe that in the terminal running the app, the ls command (provided by the user! 💣) was executed:
/ handler
Received: ls
app.py __pycache__ README.md requirements.txt