hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: Allow implicit taint reads from tuple contents at sinks.

Browse Source
This commit is contained in:
Geoffrey White
2025-01-22 18:20:28 +00:00
parent 64444940a6
commit 78c58aa5f1
4 changed files with 56 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll
View File

@@ -773,7 +773,7 @@ final class ArrayElementContent extends Content, TArrayElement {
* NOTE: Unlike `struct`s and `enum`s tuples are structural and not nominal,
* hence we don't store a canonical path for them.
*/
private class TuplePositionContent extends Content, TTuplePositionContent {
final class TuplePositionContent extends Content, TTuplePositionContent {
private int pos;
TuplePositionContent() { this = TTuplePositionContent(pos) }

7
rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
View File

@@ -17,6 +17,7 @@ import rust
import codeql.rust.security.CleartextLoggingExtensions
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
import codeql.rust.dataflow.internal.DataFlowImpl
/**
* A taint-tracking configuration for cleartext logging vulnerabilities.
@@ -34,6 +35,12 @@ module CleartextLoggingConfig implements DataFlow::ConfigSig {
// make sources barriers so that we only report the closest instance
isSource(node)
}
predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
// flow out from tuple content at sinks.
isSink(node) and
c.getAReadContent() instanceof TuplePositionContent
}
}
module CleartextLoggingFlow = TaintTracking::Global<CleartextLoggingConfig>;

44
rust/ql/test/query-tests/security/CWE-312/CleartextLogging.expected
View File

@@ -11,13 +11,17 @@
| test_logging.rs:57:5:57:34 | ...::log | test_logging.rs:57:24:57:31 | password | test_logging.rs:57:5:57:34 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:57:24:57:31 | password | password |
| test_logging.rs:58:5:58:36 | ...::log | test_logging.rs:58:24:58:31 | password | test_logging.rs:58:5:58:36 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:58:24:58:31 | password | password |
| test_logging.rs:60:5:60:54 | ...::log | test_logging.rs:60:46:60:53 | password | test_logging.rs:60:5:60:54 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:60:46:60:53 | password | password |
| test_logging.rs:61:5:61:55 | ...::log | test_logging.rs:61:21:61:28 | password | test_logging.rs:61:5:61:55 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:61:21:61:28 | password | password |
| test_logging.rs:65:5:65:48 | ...::log | test_logging.rs:65:40:65:47 | password | test_logging.rs:65:5:65:48 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:65:40:65:47 | password | password |
| test_logging.rs:67:5:67:66 | ...::log | test_logging.rs:67:58:67:65 | password | test_logging.rs:67:5:67:66 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:67:58:67:65 | password | password |
| test_logging.rs:68:5:68:67 | ...::log | test_logging.rs:68:19:68:26 | password | test_logging.rs:68:5:68:67 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:68:19:68:26 | password | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | test_logging.rs:72:39:72:46 | password | test_logging.rs:72:5:72:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:72:39:72:46 | password | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | test_logging.rs:74:57:74:64 | password | test_logging.rs:74:5:74:65 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:74:57:74:64 | password | password |
| test_logging.rs:75:5:75:51 | ...::log::<...> | test_logging.rs:75:21:75:28 | password | test_logging.rs:75:5:75:51 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:75:21:75:28 | password | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | test_logging.rs:76:39:76:46 | password | test_logging.rs:76:5:76:47 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:76:39:76:46 | password | password |
| test_logging.rs:82:5:82:44 | ...::log::<...> | test_logging.rs:82:36:82:43 | password | test_logging.rs:82:5:82:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:82:36:82:43 | password | password |
| test_logging.rs:84:5:84:62 | ...::log::<...> | test_logging.rs:84:54:84:61 | password | test_logging.rs:84:5:84:62 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:84:54:84:61 | password | password |
| test_logging.rs:85:5:85:48 | ...::log::<...> | test_logging.rs:85:21:85:28 | password | test_logging.rs:85:5:85:48 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:85:21:85:28 | password | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | test_logging.rs:86:36:86:43 | password | test_logging.rs:86:5:86:44 | ...::log::<...> | This operation writes '...::log::<...>' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:86:36:86:43 | password | password |
| test_logging.rs:100:5:100:19 | ...::log | test_logging.rs:99:38:99:45 | password | test_logging.rs:100:5:100:19 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:99:38:99:45 | password | password |
| test_logging.rs:118:5:118:42 | ...::log | test_logging.rs:118:28:118:41 | get_password(...) | test_logging.rs:118:5:118:42 | ...::log | This operation writes '...::log' to a log file. It may contain unencrypted sensitive data from $@. | test_logging.rs:118:28:118:41 | get_password(...) | get_password(...) |
@@ -66,20 +70,40 @@ edges
| test_logging.rs:58:24:58:31 | password | test_logging.rs:58:12:58:35 | MacroExpr | provenance | |
| test_logging.rs:60:30:60:53 | MacroExpr | test_logging.rs:60:5:60:54 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:60:46:60:53 | password | test_logging.rs:60:30:60:53 | MacroExpr | provenance | |
| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:61:5:61:55 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:61:5:61:55 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:61:20:61:28 | &password [&ref] | test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:61:21:61:28 | password | test_logging.rs:61:20:61:28 | &password [&ref] | provenance | |
| test_logging.rs:65:24:65:47 | MacroExpr | test_logging.rs:65:5:65:48 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:65:40:65:47 | password | test_logging.rs:65:24:65:47 | MacroExpr | provenance | |
| test_logging.rs:67:42:67:65 | MacroExpr | test_logging.rs:67:5:67:66 | ...::log | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:67:58:67:65 | password | test_logging.rs:67:42:67:65 | MacroExpr | provenance | |
| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | test_logging.rs:68:5:68:67 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | test_logging.rs:68:5:68:67 | ...::log | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:68:18:68:26 | &password [&ref] | test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:68:19:68:26 | password | test_logging.rs:68:18:68:26 | &password [&ref] | provenance | |
| test_logging.rs:72:23:72:46 | MacroExpr | test_logging.rs:72:5:72:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:72:39:72:46 | password | test_logging.rs:72:23:72:46 | MacroExpr | provenance | |
| test_logging.rs:74:41:74:64 | MacroExpr | test_logging.rs:74:5:74:65 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:74:57:74:64 | password | test_logging.rs:74:41:74:64 | MacroExpr | provenance | |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:75:5:75:51 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:75:20:75:28 | &password [&ref] | test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:75:21:75:28 | password | test_logging.rs:75:20:75:28 | &password [&ref] | provenance | |
| test_logging.rs:76:23:76:46 | MacroExpr | test_logging.rs:76:5:76:47 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:76:39:76:46 | password | test_logging.rs:76:23:76:46 | MacroExpr | provenance | |
| test_logging.rs:82:20:82:43 | MacroExpr | test_logging.rs:82:5:82:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:82:36:82:43 | password | test_logging.rs:82:20:82:43 | MacroExpr | provenance | |
| test_logging.rs:84:38:84:61 | MacroExpr | test_logging.rs:84:5:84:62 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:84:54:84:61 | password | test_logging.rs:84:38:84:61 | MacroExpr | provenance | |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | test_logging.rs:85:5:85:48 | ...::log::<...> | provenance | MaD:1 Sink:MaD:1 Sink:MaD:1 Sink:MaD:1 |
| test_logging.rs:85:20:85:28 | &password [&ref] | test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | provenance | |
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | provenance | |
| test_logging.rs:85:21:85:28 | password | test_logging.rs:85:20:85:28 | &password [&ref] | provenance | |
| test_logging.rs:86:20:86:43 | MacroExpr | test_logging.rs:86:5:86:44 | ...::log::<...> | provenance | MaD:0 Sink:MaD:0 |
| test_logging.rs:86:36:86:43 | password | test_logging.rs:86:20:86:43 | MacroExpr | provenance | |
| test_logging.rs:99:9:99:10 | m3 | test_logging.rs:100:11:100:18 | MacroExpr | provenance | |
@@ -207,18 +231,33 @@ nodes
| test_logging.rs:60:5:60:54 | ...::log | semmle.label | ...::log |
| test_logging.rs:60:30:60:53 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:60:46:60:53 | password | semmle.label | password |
| test_logging.rs:61:5:61:55 | ...::log | semmle.label | ...::log |
| test_logging.rs:61:20:61:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:61:20:61:28 | &password [&ref] | semmle.label | &password [&ref] |
| test_logging.rs:61:20:61:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:61:21:61:28 | password | semmle.label | password |
| test_logging.rs:65:5:65:48 | ...::log | semmle.label | ...::log |
| test_logging.rs:65:24:65:47 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:65:40:65:47 | password | semmle.label | password |
| test_logging.rs:67:5:67:66 | ...::log | semmle.label | ...::log |
| test_logging.rs:67:42:67:65 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:67:58:67:65 | password | semmle.label | password |
| test_logging.rs:68:5:68:67 | ...::log | semmle.label | ...::log |
| test_logging.rs:68:18:68:26 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:68:18:68:26 | &password [&ref] | semmle.label | &password [&ref] |
| test_logging.rs:68:18:68:26 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:68:19:68:26 | password | semmle.label | password |
| test_logging.rs:72:5:72:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:72:23:72:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:72:39:72:46 | password | semmle.label | password |
| test_logging.rs:74:5:74:65 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:74:41:74:64 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:74:57:74:64 | password | semmle.label | password |
| test_logging.rs:75:5:75:51 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:75:20:75:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:75:20:75:28 | &password [&ref] | semmle.label | &password [&ref] |
| test_logging.rs:75:20:75:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:75:21:75:28 | password | semmle.label | password |
| test_logging.rs:76:5:76:47 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:76:23:76:46 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:76:39:76:46 | password | semmle.label | password |
@@ -228,6 +267,11 @@ nodes
| test_logging.rs:84:5:84:62 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:84:38:84:61 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:84:54:84:61 | password | semmle.label | password |
| test_logging.rs:85:5:85:48 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:85:20:85:28 | &... [&ref, tuple.0, &ref] | semmle.label | &... [&ref, tuple.0, &ref] |
| test_logging.rs:85:20:85:28 | &password [&ref] | semmle.label | &password [&ref] |
| test_logging.rs:85:20:85:28 | TupleExpr [tuple.0, &ref] | semmle.label | TupleExpr [tuple.0, &ref] |
| test_logging.rs:85:21:85:28 | password | semmle.label | password |
| test_logging.rs:86:5:86:44 | ...::log::<...> | semmle.label | ...::log::<...> |
| test_logging.rs:86:20:86:43 | MacroExpr | semmle.label | MacroExpr |
| test_logging.rs:86:36:86:43 | password | semmle.label | password |

8
rust/ql/test/query-tests/security/CWE-312/test_logging.rs
View File

@@ -58,21 +58,21 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
debug!("message = {password:?}"); // $ Source Alert[rust/cleartext-logging]
debug!(target: "target", "message = {}", harmless);
debug!(target: "target", "message = {}", password); // $ Source Alert[rust/cleartext-logging]
debug!(target: &password, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
debug!(target: &password, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging]
// log! macro, various formatting
log!(Level::Error, "message = {}", harmless);
log!(Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
log!(target: "target", Level::Error, "message = {}", harmless);
log!(target: "target", Level::Error, "message = {}", password); // $ Source Alert[rust/cleartext-logging]
log!(target: &password, Level::Error, "message = {}", harmless); // $ MISSING: Alert[rust/cleartext-logging]
log!(target: &password, Level::Error, "message = {}", harmless); // $ Source Alert[rust/cleartext-logging]
// structured logging
error!(value = 1; "message = {}", harmless);
error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: "target", value = 1; "message");
error!(target: "target", value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: &password, value = 1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(target: &password, value = 1; "message"); // $ Source Alert[rust/cleartext-logging]
error!(value = 1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(value = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(value:? = password.as_str(); "message"); // $ MISSING: Alert[rust/cleartext-logging]
@@ -82,7 +82,7 @@ fn test_log(harmless: String, password: String, encrypted_password: String) {
error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: "target", value1; "message");
error!(target: "target", value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
error!(target: &password, value1; "message"); // $ MISSING: Alert[rust/cleartext-logging]
error!(target: &password, value1; "message"); // $ Source Alert[rust/cleartext-logging]
error!(value1; "message = {}", password); // $ Source Alert[rust/cleartext-logging]
let value2 = password.as_str();