statik/example.ts

## example.ts
import * as sns from '@aws-cdk/aws-sns';
import * as cdk from '@aws-cdk/core';

import { PolicyStatementBuilder } from '../lib/policy';
import { DeployableStack } from '../lib/deployable';
import { PhysicalStackProps } from '../lib/physical';

/** EmptyStack is supposed to contain nothing. It is used when we want to remove all of the constructs
 *  from a stack, because CloudFormation will not destroy a stack just because we removed it.
 *
 *  Because our CloudFormation also refuses to deploy an empty stack, it does actually contain a dummy resource.
 */
export class Empty extends DeployableStack {
    constructor(scope: cdk.App, id: string, props: PhysicalStackProps) {
        super(scope, id, props);

        new sns.Topic(this, 'DummyTopic', {
            displayName: 'Dummy SNS topic for empty stack',
        });

        const permissions = '*';
        new PolicyStatementBuilder().allow().addActions(permissions).addResources('*').build();
        new PolicyStatementBuilder().allow().addActions('*').addResources('*').build();
    }
}

## iam-wildcard.ql
/**
 * @id iam-wildcard-action
 * @name Wildcard IAM actions
 * @description Finds calls to that contain a bare wildcard
 * @kind problem
 * @problem.severity warning
 * @precision medium
 * @tags call
 *       method
 */

import javascript

from MethodCallExpr c
where
  c.getCalleeName() = "addActions" and
  exists(Expr e | e = c.getAnArgument() | e.getStringValue() = "*")
select c, "addActions called with wildcard"

## results.md

      
    Raw
  

              results.md
            
          
    Build the database
codeql database create codeql-typescript --language=javascript

Run the query
codeql database analyze codeql-typescript infra/qlpack/ --format=csv --output=js-results.csv

Look at the results
cat js-results.csv
"Wildcard IAM actions","Finds calls to that contain a bare wildcard","warning","addActions called with wildcard","/infra/stacks/empty.ts","23","9","23","60"

It is good that this finds line 23. I want to enhance the query to also find line 22, which has the permissions variable set to '*' instead of passing the string directly.
	import * as sns from '@aws-cdk/aws-sns';
	import * as cdk from '@aws-cdk/core';

	import { PolicyStatementBuilder } from '../lib/policy';
	import { DeployableStack } from '../lib/deployable';
	import { PhysicalStackProps } from '../lib/physical';

	/** EmptyStack is supposed to contain nothing. It is used when we want to remove all of the constructs
	* from a stack, because CloudFormation will not destroy a stack just because we removed it.
	*
	* Because our CloudFormation also refuses to deploy an empty stack, it does actually contain a dummy resource.
	*/
	export class Empty extends DeployableStack {
	constructor(scope: cdk.App, id: string, props: PhysicalStackProps) {
	super(scope, id, props);

	new sns.Topic(this, 'DummyTopic', {
	displayName: 'Dummy SNS topic for empty stack',
	});

	const permissions = '*';
	new PolicyStatementBuilder().allow().addActions(permissions).addResources('*').build();
	new PolicyStatementBuilder().allow().addActions('').addResources('').build();
	}
	}
	/**
	* @id iam-wildcard-action
	* @name Wildcard IAM actions
	* @description Finds calls to that contain a bare wildcard
	* @kind problem
	* @problem.severity warning
	* @precision medium
	* @tags call
	* method
	*/

	import javascript

	from MethodCallExpr c
	where
	c.getCalleeName() = "addActions" and
	exists(Expr e \| e = c.getAnArgument() \| e.getStringValue() = "*")
	select c, "addActions called with wildcard"