{
 "cells": [
  {
   "cell_type": "markdown",
   "id": "ad247f35-1a9d-4f3a-9788-ecdbc43b6976",
   "metadata": {},
   "source": [
    "## Setup"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 1,
   "id": "9051f612-d935-4b90-a623-0c5504b51d9c",
   "metadata": {
    "tags": []
   },
   "outputs": [
    {
     "data": {
      "text/plain": [
       "'Database registered!'"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "%set_database codeql-db"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "id": "a460e252-30f5-4cad-9a32-253e9d789025",
   "metadata": {},
   "outputs": [],
   "source": [
    "import python\n",
    "import semmle.python.ApiGraphs\n",
    "import semmle.python.dataflow.new.RemoteFlowSources\n",
    "import semmle.python.dataflow.new.DataFlow"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "ee080ea9-375f-432b-8fc8-a93fa0e60910",
   "metadata": {},
   "source": [
    "## Code exploration"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "3c305ec3-40f7-4a7e-bef6-845ae0ef0c4f",
   "metadata": {},
   "source": [
    "### Find all calls to `subprocess.call`"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "id": "32c13716-39a0-43d9-8e05-25a11fcd557f",
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>n</th>\n",
       "      <th>URL for n</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>ControlFlowNode for Attribute()</td>\n",
       "      <td>file:///Users/pwntester/src/github.com/github/codeql-jupyter-kernel/example/src/main.py:3:1:3:38</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>"
      ],
      "text/plain": [
       "<IPython.core.display.HTML object>"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "query predicate test(API::CallNode n) {\n",
    "    n = API::moduleImport(\"subprocess\").getMember(\"call\").getACall()\n",
    "}"
   ]
  },
  {
   "cell_type": "markdown",
   "id": "0e37dbb8-32b5-45a0-8aa2-90a8b415c905",
   "metadata": {},
   "source": [
    "## Attack surface"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "9383863b-0f6e-4fc3-afad-b653cae62bdf",
   "metadata": {},
   "outputs": [],
   "source": [
    "query predicate attackSurface(DataFlow::Node n) { n instanceof RemoteFlowSource }"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "CodeQL",
   "language": "codeql",
   "name": "codeql"
  },
  "language_info": {
   "file_extension": ".ql",
   "help_links": [
    {
     "text": "MetaKernel Magics",
     "url": "https://metakernel.readthedocs.io/en/latest/source/README.html"
    }
   ],
   "mimetype": "text/x-codeql",
   "name": "codeql"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}