Customizing RemoteFlowSource for javascript

[beescuit]

Hello, I was reading the docs on codeQL and stumbled upon this page: https://codeql.github.com/docs/codeql-language-guides/specifying-additional-remote-flow-sources-for-javascript/

I am currently trying to make the "default" codeql javascript pack work with a custom web framework.

I already have queries that return sources containing user-supplied input, but I'm having some trouble understanding how I could modify the codebase to allow for the rules to work properly (by including a new RemoteFlowSource definition?).
Are there any examples or at least directions I could follow to achieve this? Thanks!

[beescuit]

I have kind of figured this out.

In case anyone has this question in the future, you need to create a new class that extends RemoteFlowSource. In my case, I created a new file under javascript/ql/lib/semmle/javascript/frameworks/, you can start with a simple module like this and then adapt it to be similar to the other framework implementations in that folder:

import javascript
import semmle.javascript.frameworks.HTTP
private import DataFlow

module CustomFramework {
    private class RequestArguments extends RemoteFlowSource {
        RequestArguments() {
          // source query goes here, set the results to the "this variable"
        }
      
        override string getSourceType() { result = "Source Type" }
      }
}

Then just add a line that imports it to the HttpFramewors.qll and you should be done :)

[mbg]

Hi @beescuit 👋🏻

Great that you have been able to figure this out yourself and thank you for updating the discussion with your solution! ✨

Indeed, if you have a clone of the codeql repository (e.g. through starting with https://github.com/github/vscode-codeql-starter) then just modifying the relevant library files is an easy way to add new framework support or new queries.

If you want to also be able to run CodeQL in CI with the additional framework support/extra queries, then you can look into using https://github.com/advanced-security/codeql-bundle-action to do that.

Happy holidays!

[beescuit]

Hey @mbg,

Thanks for the response! It has helped me a lot.

I'm currently trying to get CI working, and have a few questions regarding the setup with codeql-bundle-action...

I see that one way to implement custom bundles into the pipeline would be to do something similar to this repo: https://github.com/advanced-security-demo/codeql-bundle-demo, which contains the pack with the Customizations.qll files AND the target application code. In this case, the bundle gets built and published as a release, which is then re-downloaded by the other workflow to perform analysis on further changes.

Although this works, I am currently looking for some way to do this in a non-monorepo fashion, in which I would have a separate repo for the customizations, allowing me to even reuse the built bundle/packs in multiple target applications. The main thing I am currently struggling with is making the bundle file available on other repositories considering all of them are internal and their respective actions would not be able to fetch releases from other private repos. Is there any way to publish the bundle or one of its packs, for example, to github packages so that actions in other repos would be able to access and run analysis with the custom queries? What would be the best set-up in this situation?

[mbg]

Hi @beescuit,

I think you are on the right track -- there's no inherent reason why it has to be a mono repo. The customisations can live in one repo with one workflow that publishes them as a release there that can then be downloaded by another repository. The GITHUB_TOKEN that's available in GHA workflows by default only has permissions to access the repository that the workflow is running on, however, so you will likely need a PAT with appropriate permissions to access the release in one repository from another. See the documentation at https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens which also has pointers to other resources if a PAT isn't appropriate here