From 43c58d6d8f1c7d79256f35f6c4720fea9232415c Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Mon, 16 Jun 2025 18:44:20 +0100 Subject: [PATCH 1/2] fix: Update Object getProperty to support String Literals --- ql/lib/codeql/bicep/ast/Resources.qll | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/ql/lib/codeql/bicep/ast/Resources.qll b/ql/lib/codeql/bicep/ast/Resources.qll index 253d04d..f3cc72a 100644 --- a/ql/lib/codeql/bicep/ast/Resources.qll +++ b/ql/lib/codeql/bicep/ast/Resources.qll @@ -15,10 +15,17 @@ class Object extends Expr instanceof ObjectImpl { ObjectProperty getProp(int i) { result = ObjectImpl.super.getProperty(i) } + /** + * Get the value of a property by its name. + */ Expr getProperty(string name) { exists(ObjectProperty property | property = this.getProperties() and - property.getName().getName() = name + ( + exists(Idents ident | ident = property.getName() | ident.getName() = name) + or + exists(StringLiteral str | str = property.getName() | str.getValue() = name) + ) | result = property.getValue() ) @@ -29,7 +36,7 @@ class Object extends Expr instanceof ObjectImpl { * A ObjectProperty unknown AST node. */ class ObjectProperty extends Expr instanceof ObjectPropertyImpl { - Idents getName() { result = ObjectPropertyImpl.super.getName() } + Expr getName() { result = ObjectPropertyImpl.super.getName() } Expr getValue() { result = ObjectPropertyImpl.super.getValue() } } @@ -87,9 +94,7 @@ class Resource extends TResource { exists(StringLiteral sl | sl = resource.getName() | result = sl.getValue()) } - Identifier getIdentifier() { - result = resource.getIdentifier() - } + Identifier getIdentifier() { result = resource.getIdentifier() } string getName() { exists(StringLiteral name | From 5e134e5d0e5bccb8bdfe271f699e5aa63d37165e Mon Sep 17 00:00:00 2001 From: GeekMasher Date: Mon, 16 Jun 2025 18:49:42 +0100 Subject: [PATCH 2/2] feat: Add resolveProperties query and update sample.bicep to include subnet reference --- ql/test/library-tests/resource/Resolve.expected | 4 +++- ql/test/library-tests/resource/Resolve.ql | 5 +++++ ql/test/library-tests/resource/sample.bicep | 3 +++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/ql/test/library-tests/resource/Resolve.expected b/ql/test/library-tests/resource/Resolve.expected index f4efa13..abbb49e 100644 --- a/ql/test/library-tests/resource/Resolve.expected +++ b/ql/test/library-tests/resource/Resolve.expected @@ -1,4 +1,6 @@ resolveIdentifier | sample.bicep:1:1:3:1 | VirtualNetworks Resource | sample.bicep:5:1:8:1 | ResourceDeclaration | resolveResource -| sample.bicep:15:1:28:1 | VirtualMachines Resource | sample.bicep:10:1:13:1 | NetworkInterfaces Resource | +| sample.bicep:15:1:31:1 | VirtualMachines Resource | sample.bicep:10:1:13:1 | NetworkInterfaces Resource | +resolveProperties +| sample.bicep:15:1:31:1 | VirtualMachines Resource | sample.bicep:26:17:28:7 | Object | diff --git a/ql/test/library-tests/resource/Resolve.ql b/ql/test/library-tests/resource/Resolve.ql index 0a8fcbf..179b6ee 100644 --- a/ql/test/library-tests/resource/Resolve.ql +++ b/ql/test/library-tests/resource/Resolve.ql @@ -7,3 +7,8 @@ query predicate resolveIdentifier(Network::VirtualNetworks vn, Network::VirtualN query predicate resolveResource(Compute::VirtualMachines vm, Network::NetworkInterfaces ni) { ni = vm.getNetworkInterfaces() } + +query predicate resolveProperties(Compute::VirtualMachines vm, Object subnet) { + subnet = vm.getProperties().getNetworkProfile().getProperty("subnet") + +} diff --git a/ql/test/library-tests/resource/sample.bicep b/ql/test/library-tests/resource/sample.bicep index 2f5ba86..e771723 100644 --- a/ql/test/library-tests/resource/sample.bicep +++ b/ql/test/library-tests/resource/sample.bicep @@ -23,6 +23,9 @@ resource linuxVm 'Microsoft.Compute/virtualMachines@2020-06-01' = { id: nic.id } ] + 'subnet': { + id: existingSubnet.id + } } } }