diff --git a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
index 61d0ea4260d..ef5bcd4753b 100644
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
@@ -12,16 +12,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
///
/// A minimal environment for running the .NET CLI.
- ///
+ ///
/// DOTNET_CLI_UI_LANGUAGE: The .NET CLI language is set to English to avoid localized output.
/// MSBUILDDISABLENODEREUSE: To ensure clean environment for each build.
/// DOTNET_SKIP_FIRST_TIME_EXPERIENCE: To skip first time experience messages.
+ /// DOTNET_CLI_TELEMETRY_OPTOUT: To skip any dotnet telemetry: it's unnecessary and can even cause issues.
///
static ReadOnlyDictionary MinimalEnvironment { get; } = new(new Dictionary
{
{"DOTNET_CLI_UI_LANGUAGE", "en"},
{"MSBUILDDISABLENODEREUSE", "1"},
- {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"}
+ {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"},
+ {"DOTNET_CLI_TELEMETRY_OPTOUT", "1"}
});
///
diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
index 117f67a7b4e..89a0a2c5c92 100644
--- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSource
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
@@ -69,6 +70,13 @@ module AccessInvalidPointer {
ModelsAsDataSink() { sinkNode(this, "pointer-access") }
}
+ /**
+ * A barrier for invalid pointer access from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "pointer-access") }
+ }
+
/**
* A barrier for invalid pointer access vulnerabilities for values checked to
* be non-`null`.
diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
index f634992fb81..c728d29f015 100644
--- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.security.SensitiveData
private import codeql.rust.Concepts
@@ -44,6 +45,13 @@ module CleartextLogging {
ModelsAsDataSink() { sinkNode(this, "log-injection") }
}
+ /**
+ * A barrier for logging from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
+ }
+
private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
diff --git a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll
index f92b2df1dc0..afbf27e5bc9 100644
--- a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll
@@ -45,4 +45,11 @@ module CleartextStorageDatabase {
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) }
}
+
+ /**
+ * A barrier for cleartext storage vulnerabilities from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) }
+ }
}
diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
index 7d5a91a55f7..14ee95186c3 100644
--- a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
@@ -6,6 +6,7 @@
private import codeql.util.Unit
private import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.security.SensitiveData
private import codeql.rust.Concepts
@@ -55,4 +56,11 @@ module CleartextTransmission {
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
}
+
+ /**
+ * A barrier defined through MaD.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) }
+ }
}
diff --git a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll
index a86ee506dfa..a5933bc74b1 100644
--- a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.rust.dataflow.internal.Node as Node
@@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions {
override string getSinkType() { result = "DisabledCertificateCheck" }
}
+ /**
+ * A data flow barrier for disabled certificate check vulnerabilities.
+ */
+ abstract class Barrier extends DataFlow::Node { }
+
/**
* A sink for disabled certificate check vulnerabilities from model data.
*/
@@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions {
)
}
}
+
+ /**
+ * A barrier for disabled certificate check vulnerabilities from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") }
+ }
}
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
index 9bdfc53971e..09e2505eb5c 100644
--- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSource
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
@@ -130,6 +131,19 @@ module HardcodedCryptographicValue {
override CryptographicValueKind getKind() { result = kind }
}
+ /**
+ * An externally modeled barrier for hard-coded cryptographic value vulnerabilities.
+ *
+ * Note that a barrier will block flow to all hard-coded cryptographic value
+ * sinks, regardless of the `kind` that is specified. For example a barrier of
+ * kind `credentials-key` will block flow to a sink of kind `credentials-iv`.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() {
+ exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind))
+ }
+ }
+
/**
* A call to `getrandom` that is a barrier.
*/
diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
index 87d37d6b85b..bd74dcb8728 100644
--- a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSource
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
@@ -48,6 +49,13 @@ module InsecureCookie {
ModelsAsDataSink() { sinkNode(this, "cookie-use") }
}
+ /**
+ * A barrier for insecure cookie vulnerabilities from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "cookie-use") }
+ }
+
/**
* Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`,
* with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example,
diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
index 31403b625f9..40d11362355 100644
--- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.util.Unit
@@ -44,6 +45,13 @@ module LogInjection {
ModelsAsDataSink() { sinkNode(this, "log-injection") }
}
+ /**
+ * A barrier for log-injection from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
+ }
+
/**
* A barrier for log injection vulnerabilities for nodes whose type is a
* numeric type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll
index 1822baff644..d5b75258ad4 100644
--- a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.dataflow.FlowSource
private import codeql.rust.Concepts
@@ -46,4 +47,11 @@ module RequestForgery {
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "request-url") }
}
+
+ /**
+ * A barrier for request forgery from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "request-url") }
+ }
}
diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
index f36ab264987..de2622974f6 100644
--- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
@@ -6,6 +6,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.util.Unit
@@ -53,12 +54,19 @@ module SqlInjection {
}
/**
- * A sink for sql-injection from model data.
+ * A sink for SQL injection from model data.
*/
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "sql-injection") }
}
+ /**
+ * A barrier for SQL injection from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "sql-injection") }
+ }
+
/**
* A barrier for SQL injection vulnerabilities for nodes whose type is a numeric
* type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
index ccf3736ceb4..2bd009909f6 100644
--- a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll
@@ -47,6 +47,11 @@ module TaintedPath {
private class ModelsAsDataSinks extends Sink {
ModelsAsDataSinks() { sinkNode(this, "path-injection") }
}
+
+ /** A barrier for path-injection from model data. */
+ private class ModelsAsDataBarriers extends Barrier {
+ ModelsAsDataBarriers() { barrierNode(this, "path-injection") }
+ }
}
private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) {
diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll
index c6251563ea6..f0c0bed0009 100644
--- a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll
@@ -6,6 +6,7 @@
import rust
private import codeql.rust.Concepts
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
/**
@@ -32,6 +33,13 @@ module UncontrolledAllocationSize {
ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) }
}
+ /**
+ * A barrier for uncontrolled allocation size from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) }
+ }
+
/**
* A barrier for uncontrolled allocation size that is an upper bound check / guard.
*/
diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
index 076ed42edfb..f4dd5a1e1a8 100644
--- a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
@@ -59,4 +60,11 @@ module UseOfHttp {
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "request-url") }
}
+
+ /**
+ * A barrier for use of HTTP URLs from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "request-url") }
+ }
}
diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll
index 97318ff8173..74ed161acb0 100644
--- a/rust/ql/lib/codeql/rust/security/XssExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/XssExtensions.qll
@@ -5,6 +5,7 @@
import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.util.Unit
@@ -44,6 +45,13 @@ module Xss {
ModelsAsDataSink() { sinkNode(this, "html-injection") }
}
+ /**
+ * A barrier for XSS from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "html-injection") }
+ }
+
/**
* A barrier for XSS vulnerabilities for nodes whose type is a
* numeric or boolean type, which is unlikely to expose any vulnerability.
diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
index 7cb0dc47c9f..3f1dbbafb7d 100644
--- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
+++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll
@@ -6,6 +6,7 @@
private import codeql.util.Unit
private import rust
private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowBarrier
private import codeql.rust.dataflow.FlowSink
private import codeql.rust.Concepts
private import codeql.rust.security.Barriers as Barriers
@@ -69,6 +70,13 @@ module RegexInjection {
ModelsAsDataSink() { sinkNode(this, "regex-use") }
}
+ /**
+ * A barrier for regular expression injection from model data.
+ */
+ private class ModelsAsDataBarrier extends Barrier {
+ ModelsAsDataBarrier() { barrierNode(this, "regex-use") }
+ }
+
/**
* An escape barrier for regular expression injection vulnerabilities.
*/
diff --git a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
index ae22a3c9d2c..3e978e2934b 100644
--- a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
+++ b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql
@@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig {
predicate isSink(DataFlow::Node node) { node instanceof Sink }
+ predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
+
predicate observeDiffInformedIncrementalMode() { any() }
}
diff --git a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
index fb71423503d..8ec2f3354db 100644
--- a/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/rust/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -138,7 +138,10 @@ private module SummaryModelGeneratorInput implements SummaryModelGeneratorInputS
Parameter asParameter(NodeExtended node) { result = node.asParameter() }
- predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) { none() }
+ predicate isAdditionalContentFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
+ RustTaintTracking::defaultAdditionalTaintStep(nodeFrom, nodeTo, _) and
+ not RustDataFlow::readStep(nodeFrom, _, nodeTo)
+ }
predicate isField(DataFlow::ContentSet c) {
c.(SingletonContentSet).getContent() instanceof FieldContent