Ll2

codeql-learninglab-check/package/src/index.ts

@@ -308,7 +308,9 @@ function isConfig(config: any): config is Config {
   // Upgrade the database if neccesary
   const databasePath = path.join(CONFIG_PATH, config.databasePath);
   console.log('Upgrading CodeQL Database');
-  await execFile('codeql', ['database', 'upgrade', databasePath]);
+  const updateResult = await execFile('codeql', ['database', 'upgrade', '-v', databasePath]);
+  console.log(updateResult.stderr);
+  console.log(updateResult.stdout);
 
   const csvPath = (queryPath: string) => path.join(OUTPUT_PATH, queryPath + '.csv');
 

courses/javascript/unsafe-jquery/README.md

@@ -0,0 +1,19 @@
+# CodeQL LearningLab Course Action Template
+
+Copy this entire directory,
+and replace the following:
+
+* Replace `<owner>`, `<repo>` and `<pkg>` in the `image` property in
+  [`action.yml`](action.yml) to reference the correct repository
+  where the docker image will be published,
+  and with a package name of your choice.
+  (For courses in this repository,
+  we use the convention of taking the course path,
+  and replacing slashes with dashes,
+  e.g. `courses/cpp/ctf-segv` becomes `courses-cpp-ctf-segv`)
+* Replace the zip file URL in [`image/Dockerfile`](image/Dockerfile)
+  to point to the CodeQL database that will be used in your course.
+
+After this,
+update [`answers/`](answers) and [`image/config/`](image/config)
+to add your model answers and expected query results as appropriate.

courses/javascript/unsafe-jquery/action.yml

@@ -0,0 +1,9 @@
+name: 'Check queries'
+description: 'Check that the queries that have been pushed produce the correct results'
+author: 'GitHub <opensource+codeql-learninglab-actions@github.com>'
+runs:
+  using: 'docker'
+  image: 'docker://docker.pkg.github.com/github/codeql-learninglab-actions/courses-javascript-unsafe-jquery'
+branding:
+  icon: 'check-circle'
+  color: 'purple'

courses/javascript/unsafe-jquery/answers/calls-to-dollar-arg.ql

@@ -0,0 +1,7 @@
+import javascript
+
+from CallExpr dollarCall, Expr dollarArg
+where
+    dollarArg = dollarCall.getArgument(0) and
+    dollarCall.getCalleeName() = "$"
+select dollarArg

courses/javascript/unsafe-jquery/answers/calls-to-dollar.ql

@@ -0,0 +1,5 @@
+import javascript
+
+from CallExpr dollarCall
+where dollarCall.getCalleeName() = "$"
+select dollarCall

courses/javascript/unsafe-jquery/answers/dollar-arg-node.ql

@@ -0,0 +1,6 @@
+import javascript
+
+from DataFlow::Node dollarArg
+where
+  dollarArg = jquery().getACall().getArgument(0)
+select dollarArg

courses/javascript/unsafe-jquery/answers/final.ql

@@ -0,0 +1,27 @@
+/**
+* @name Cross-site scripting vulnerable plugin
+* @kind path-problem
+* @id js/xss-unsafe-plugin
+*/
+
+import javascript
+import DataFlow::PathGraph
+
+class Configuration extends TaintTracking::Configuration {
+  Configuration() { this = "XssUnsafeJQueryPlugin" }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(DataFlow::FunctionNode plugin |
+      plugin = jquery().getAPropertyRead("fn").getAPropertySource() and
+      source = plugin.getLastParameter()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    sink = jquery().getACall().getArgument(0)
+  }
+}
+
+from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink, source, sink, "Potential XSS vulnerability in plugin."

courses/javascript/unsafe-jquery/answers/jquery-plugins.ql

@@ -0,0 +1,5 @@
+import javascript
+
+from DataFlow::Node plugin
+where plugin = jquery().getAPropertyRead("fn").getAPropertySource()
+select plugin

courses/javascript/unsafe-jquery/answers/plugin-options.ql

@@ -0,0 +1,7 @@
+import javascript
+
+from DataFlow::FunctionNode plugin, DataFlow::ParameterNode optionsParam
+where
+  plugin = jquery().getAPropertyRead("fn").getAPropertySource() and
+  optionsParam = plugin.getLastParameter()
+select plugin, optionsParam

courses/javascript/unsafe-jquery/answers/property-read.ql

@@ -0,0 +1,5 @@
+import javascript 
+
+from DataFlow::Node n
+where n = jquery().getAPropertyRead("fn")
+select n

courses/javascript/unsafe-jquery/answers/qlpack.yml

@@ -0,0 +1,3 @@
+name: course-template
+version: 0.0.0
+libraryPathDependencies: codeql-javascript # Update this with appropriate language

courses/javascript/unsafe-jquery/answers/sources.ql

@@ -0,0 +1,12 @@
+import javascript
+
+predicate isSource(DataFlow::Node source) {
+    exists(DataFlow::FunctionNode plugin |
+      plugin = jquery().getAPropertyRead("fn").getAPropertySource() and
+      source = plugin.getLastParameter()
+    )
+}
+
+from DataFlow::Node node
+where isSource(node)
+select node

courses/javascript/unsafe-jquery/image/Dockerfile

@@ -0,0 +1,7 @@
+FROM docker.pkg.github.com/github/codeql-learninglab-actions/codeql-learninglab-check:v2.0.0
+
+## Add course config
+COPY --chown=codeql:codeql config /home/codeql/config
+WORKDIR /home/codeql/config
+# Download, unzip and then delete the zip file in one step to reduce image size
+RUN wget --quiet https://github.com/githubsatelliteworkshops/codeql/releases/download/v1.0/esbena_bootstrap-pre-27047_javascript.zip -O database.zip && unzip -qq database.zip && rm -rf database.zip