Determine if a function is passed to a function before it's being passed to another function.

[mzfr]

Hey, I'm pretty new to CodeQL and I haven’t been able to determine if a case I have in mind can be written as a CodeQL query.

I want to check if a variable of a certain type, is passed to a function before it's being passed to another function.

Ex:

Public UnsecureFunction() {
    // Do something with the user input
}

Public VerifyInput() {
   // Make sure user input doesn't have anything malicious
}

// Say it is URL type variable
URL myUrl = "https://google.com"

Now I want to make sure that before the code does UnSecureFunction(myUrl) it calls VerifyInput(myUrl)

So a code that should be flagged looks like this:

Scanner myUrl = new Scanner(System.in);
UnSecureFunction(myUrl)

And the code which shouldn't be flagged looks like this:

Scanner myUrl = new Scanner(System.in);
if VerifyInput(myUrl){
    UnSecureFunction(myUrl)
}

or even something like:

Scanner myUrl = new Scanner(System.in);
VerifyInput(myUrl) // If something wrong I can exist within this function
UnSecureFunction(myUrl)

[mzfr]

Just wanted to say that language is Java

[owen-mc]

You would write a CodeQL query for this kind of thing using the taint tracking library. The concept you are looking for is a SanitizerGuard. There's a simpler concept called a Sanitizer, which it is probalby easier to learn about first.

I think questions about CodeQL might get a better response in the codeql repo, where I see you've already posted a different question.

[Manouchehri]

See github/codeql#3358, which might help.

[mzfr]

Thanks :)

[pwntester]

You may also want to watch the second episode of LiveQL where we discussed a similar issue. TL;DR; You need to add a sanitizer that checks basic block dominance