From 00b556cc54d13929bbbb3040cb0c652f94b26560 Mon Sep 17 00:00:00 2001 From: Josh Brown Date: Thu, 19 Dec 2024 16:39:08 +1100 Subject: [PATCH] Revert "Remove Broken Rust Queries" --- .../diagnostics/DataFlowConsistencyCounts.ql | 14 +++++ .../queries/security/CWE-089/SqlInjection.ql | 35 ++++++++++++ rust/ql/src/queries/summary/LinesOfCode.ql | 14 +++++ .../ql/src/queries/summary/LinesOfUserCode.ql | 14 +++++ rust/ql/src/queries/summary/SummaryStats.ql | 54 +++++++++++++++++++ rust/ql/src/queries/summary/TaintSources.ql | 18 +++++++ 6 files changed, 149 insertions(+) create mode 100644 rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql create mode 100644 rust/ql/src/queries/security/CWE-089/SqlInjection.ql create mode 100644 rust/ql/src/queries/summary/LinesOfCode.ql create mode 100644 rust/ql/src/queries/summary/LinesOfUserCode.ql create mode 100644 rust/ql/src/queries/summary/SummaryStats.ql create mode 100644 rust/ql/src/queries/summary/TaintSources.ql diff --git a/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql b/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql new file mode 100644 index 00000000000..ecc7d1eb55a --- /dev/null +++ b/rust/ql/src/queries/diagnostics/DataFlowConsistencyCounts.ql @@ -0,0 +1,14 @@ +/** + * @name Data flow inconsistency counts + * @description Counts the number of data flow inconsistencies of each type. This query is intended for internal use. + * @kind diagnostic + * @id rust/diagnostics/data-flow-consistency-counts + */ + +import codeql.rust.dataflow.internal.DataFlowConsistency as Consistency + +// see also `rust/diagnostics/data-flow-consistency`, which lists the +// individual inconsistency results. +from string type, int num +where num = Consistency::getInconsistencyCounts(type) +select type, num diff --git a/rust/ql/src/queries/security/CWE-089/SqlInjection.ql b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql new file mode 100644 index 00000000000..ee2a3d14486 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-089/SqlInjection.ql @@ -0,0 +1,35 @@ +/** + * @name Database query built from user-controlled sources + * @description Building a database query from user-controlled sources is vulnerable to insertion of malicious code by attackers. + * @kind path-problem + * @problem.severity error + * @security-severity 8.8 + * @precision high + * @id rust/sql-injection + * @tags security + * external/cwe/cwe-089 + */ + +import rust +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking +import codeql.rust.security.SqlInjectionExtensions +import SqlInjectionFlow::PathGraph + +/** + * A taint configuration for tainted data that reaches a SQL sink. + */ +module SqlInjectionConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { node instanceof SqlInjection::Source } + + predicate isSink(DataFlow::Node node) { node instanceof SqlInjection::Sink } + + predicate isBarrier(DataFlow::Node barrier) { barrier instanceof SqlInjection::Barrier } +} + +module SqlInjectionFlow = TaintTracking::Global; + +from SqlInjectionFlow::PathNode sourceNode, SqlInjectionFlow::PathNode sinkNode +where SqlInjectionFlow::flowPath(sourceNode, sinkNode) +select sinkNode.getNode(), sourceNode, sinkNode, "This query depends on a $@.", + sourceNode.getNode(), "user-provided value" diff --git a/rust/ql/src/queries/summary/LinesOfCode.ql b/rust/ql/src/queries/summary/LinesOfCode.ql new file mode 100644 index 00000000000..5e38ad33f26 --- /dev/null +++ b/rust/ql/src/queries/summary/LinesOfCode.ql @@ -0,0 +1,14 @@ +/** + * @name Total lines of Rust code in the database + * @description The total number of lines of Rust code across all files, including any libraries and auto-generated files that the extractor sees. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments. + * @kind metric + * @id rust/summary/lines-of-code + * @tags summary + * lines-of-code + * telemetry + */ + +import rust +import Stats + +select getLinesOfCode() diff --git a/rust/ql/src/queries/summary/LinesOfUserCode.ql b/rust/ql/src/queries/summary/LinesOfUserCode.ql new file mode 100644 index 00000000000..3c81c3caf22 --- /dev/null +++ b/rust/ql/src/queries/summary/LinesOfUserCode.ql @@ -0,0 +1,14 @@ +/** + * @name Total lines of user written Rust code in the database + * @description The total number of lines of Rust code from the source code directory. This query counts the lines of code, excluding whitespace or comments. + * @kind metric + * @id rust/summary/lines-of-user-code + * @tags summary + * lines-of-code + * debug + */ + +import rust +import Stats + +select getLinesOfUserCode() diff --git a/rust/ql/src/queries/summary/SummaryStats.ql b/rust/ql/src/queries/summary/SummaryStats.ql new file mode 100644 index 00000000000..ffe7cbf1a8f --- /dev/null +++ b/rust/ql/src/queries/summary/SummaryStats.ql @@ -0,0 +1,54 @@ +/** + * @name Summary Statistics + * @description A table of summary statistics about a database. + * @kind metric + * @id rust/summary/summary-statistics + * @tags summary + */ + +import rust +import codeql.rust.Concepts +import codeql.rust.Diagnostics +import Stats + +from string key, int value +where + key = "Elements extracted" and value = count(Element e | not e instanceof Unextracted) + or + key = "Elements unextracted" and value = count(Unextracted e) + or + key = "Extraction errors" and value = count(ExtractionError e) + or + key = "Extraction warnings" and value = count(ExtractionWarning w) + or + key = "Files extracted - total" and value = count(ExtractedFile f | exists(f.getRelativePath())) + or + key = "Files extracted - with errors" and + value = + count(ExtractedFile f | + exists(f.getRelativePath()) and not f instanceof SuccessfullyExtractedFile + ) + or + key = "Files extracted - without errors" and + value = count(SuccessfullyExtractedFile f | exists(f.getRelativePath())) + or + key = "Lines of code extracted" and value = getLinesOfCode() + or + key = "Lines of user code extracted" and value = getLinesOfUserCode() + or + key = "Inconsistencies - AST" and value = getTotalAstInconsistencies() + or + key = "Inconsistencies - CFG" and value = getTotalCfgInconsistencies() + or + key = "Inconsistencies - data flow" and value = getTotalDataFlowInconsistencies() + or + key = "Macro calls - total" and value = count(MacroCall mc) + or + key = "Macro calls - resolved" and value = count(MacroCall mc | mc.hasExpanded()) + or + key = "Macro calls - unresolved" and value = count(MacroCall mc | not mc.hasExpanded()) + or + key = "Taint sources - total" and value = count(ThreatModelSource s) + or + key = "Taint sources - active" and value = count(ActiveThreatModelSource s) +select key, value order by key diff --git a/rust/ql/src/queries/summary/TaintSources.ql b/rust/ql/src/queries/summary/TaintSources.ql new file mode 100644 index 00000000000..9ac72b706ef --- /dev/null +++ b/rust/ql/src/queries/summary/TaintSources.ql @@ -0,0 +1,18 @@ +/** + * @name Taint Sources + * @description List all sources of untrusted input that have been idenfitied + * in the database. + * @kind problem + * @problem.severity info + * @id rust/summary/taint-sources + * @tags summary + */ + +import rust +import codeql.rust.Concepts + +from ThreatModelSource s, string defaultString +where + if s instanceof ActiveThreatModelSource then defaultString = " (DEFAULT)" else defaultString = "" +select s, + "Flow source '" + s.getSourceType() + "' of type " + s.getThreatModel() + defaultString + "."