CodeQL is GitHub's declarative static analyzer for discovering security vulnerabilities by writing rules that describe patterns to catch. The tutorial demonstrates setting up CodeQL CLI, creating databases from source code, and writing custom queries to detect taint tracking vulnerabilities. Using a Flask application with the sarge Python library as an example, it shows how to model data sources and sinks to catch command injection vulnerabilities that aren't covered by CodeQL's standard library. The process involves implementing the DataFlow::ConfigSig interface to define sources of tainted data and dangerous sinks where that data could cause security issues.
Table of contents
Writing the vulnerable codeRunning CodeQL on the CLIWriting a query to model sarge.run : modeling the sourceWriting a query to model sarge.run : modeling the sinkConclusionSort: