Rust: Make all query sinks extend QuerySink::Range and import them into Stats.qll (this ensures that sink statistics are complete).

This commit is contained in:
Geoffrey White
2025-04-01 09:29:51 +01:00
parent 49c2f97cc8
commit 1acbdbaaa2
4 changed files with 14 additions and 7 deletions

View File

@@ -7,12 +7,15 @@ private import codeql.util.Unit
private import rust
private import codeql.rust.dataflow.DataFlow
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
/**
* A data flow sink for cleartext transmission vulnerabilities. That is,
* a `DataFlow::Node` of something that is transmitted over a network.
*/
abstract class CleartextTransmissionSink extends DataFlow::Node { }
abstract class CleartextTransmissionSink extends QuerySink::Range {
override string getSinkType() { result = "CleartextTransmission" }
}
/**
* A barrier for cleartext transmission vulnerabilities.

View File

@@ -23,7 +23,9 @@ module TaintedPath {
/**
* A data flow sink for path injection vulnerabilities.
*/
abstract class Sink extends DataFlow::Node { }
abstract class Sink extends QuerySink::Range {
override string getSinkType() { result = "TaintedPath" }
}
/**
* A barrier for path injection vulnerabilities.

View File

@@ -44,6 +44,8 @@ module NormalHashFunction {
* hashing. That is, a broken or weak hashing algorithm.
*/
abstract class Sink extends QuerySink::Range {
override string getSinkType() { result = "WeakSensitiveDataHashing" }
/**
* Gets the name of the weak hashing algorithm.
*/
@@ -76,8 +78,6 @@ module NormalHashFunction {
class WeakHashingOperationInputAsSink extends Sink {
Cryptography::HashingAlgorithm algorithm;
override string getSinkType() { result = "WeakSensitiveDataHashing" }
WeakHashingOperationInputAsSink() {
exists(Cryptography::CryptographicOperation operation |
algorithm.isWeak() and

View File

@@ -15,10 +15,12 @@ private import codeql.rust.Diagnostics
private import codeql.rust.security.SensitiveData
private import TaintReach
// import all query extensions files, so that all extensions of `QuerySink` are found
private import codeql.rust.security.CleartextLoggingExtensions
private import codeql.rust.security.SqlInjectionExtensions
private import codeql.rust.security.WeakSensitiveDataHashingExtensions
private import codeql.rust.security.regex.RegexInjectionExtensions
private import codeql.rust.security.CleartextLoggingExtensions
private import codeql.rust.security.CleartextTransmissionExtensions
private import codeql.rust.security.SqlInjectionExtensions
private import codeql.rust.security.TaintedPathExtensions
private import codeql.rust.security.WeakSensitiveDataHashingExtensions
/**
* Gets a count of the total number of lines of code in the database.