mirror of
https://github.com/github/codeql.git
synced 2025-12-24 04:36:35 +01:00
Merge branch 'main' into badalloc
This commit is contained in:
Geoffrey White
@@ -17,21 +17,22 @@
|
||||
private import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.TaintTracking
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.rust.security.regex.RegexInjectionExtensions
|
||||
|
||||
/**
|
||||
* A taint configuration for detecting regular expression injection vulnerabilities.
|
||||
*/
|
||||
module RegexInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
|
||||
import RegexInjection
|
||||
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
|
||||
predicate isSource(DataFlow::Node source) { source instanceof Source }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RegexInjectionBarrier }
|
||||
predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||
any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
|
||||
any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -16,11 +16,10 @@
|
||||
|
||||
import rust
|
||||
import codeql.rust.dataflow.DataFlow
|
||||
import codeql.rust.dataflow.internal.DataFlowImpl as DataflowImpl
|
||||
import codeql.rust.dataflow.TaintTracking
|
||||
import codeql.rust.dataflow.internal.DataFlowImpl as DataflowImpl
|
||||
import codeql.rust.Concepts
|
||||
import codeql.rust.security.TaintedPathExtensions
|
||||
import TaintedPathFlow::PathGraph
|
||||
private import codeql.rust.Concepts
|
||||
|
||||
newtype NormalizationState =
|
||||
/** A state signifying that the file path has not been normalized. */
|
||||
@@ -84,6 +83,8 @@ module TaintedPathConfig implements DataFlow::StateConfigSig {
|
||||
|
||||
module TaintedPathFlow = TaintTracking::GlobalWithState<TaintedPathConfig>;
|
||||
|
||||
import TaintedPathFlow::PathGraph
|
||||
|
||||
from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
|
||||
where TaintedPathFlow::flowPath(source, sink)
|
||||
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
|
||||
|
||||
@@ -14,21 +14,24 @@ import rust
|
||||
import codeql.rust.dataflow.DataFlow
|
||||
import codeql.rust.dataflow.TaintTracking
|
||||
import codeql.rust.security.SqlInjectionExtensions
|
||||
import SqlInjectionFlow::PathGraph
|
||||
|
||||
/**
|
||||
* A taint configuration for tainted data that reaches a SQL sink.
|
||||
*/
|
||||
module SqlInjectionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof SqlInjection::Source }
|
||||
import SqlInjection
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof SqlInjection::Sink }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof SqlInjection::Barrier }
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
|
||||
}
|
||||
|
||||
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
|
||||
|
||||
import SqlInjectionFlow::PathGraph
|
||||
|
||||
from SqlInjectionFlow::PathNode sourceNode, SqlInjectionFlow::PathNode sinkNode
|
||||
where SqlInjectionFlow::flowPath(sourceNode, sinkNode)
|
||||
select sinkNode.getNode(), sourceNode, sinkNode, "This query depends on a $@.",
|
||||
|
||||
@@ -13,7 +13,6 @@
|
||||
|
||||
import rust
|
||||
import codeql.rust.dataflow.DataFlow
|
||||
import codeql.rust.security.SensitiveData
|
||||
import codeql.rust.dataflow.TaintTracking
|
||||
import codeql.rust.security.CleartextTransmissionExtensions
|
||||
|
||||
@@ -22,14 +21,16 @@ import codeql.rust.security.CleartextTransmissionExtensions
|
||||
* transmitted over a network.
|
||||
*/
|
||||
module CleartextTransmissionConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node node) { node instanceof SensitiveData }
|
||||
import CleartextTransmission
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmissionSink }
|
||||
predicate isSource(DataFlow::Node node) { node instanceof Source }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextTransmissionBarrier }
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
|
||||
|
||||
predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
|
||||
any(CleartextTransmissionAdditionalFlowStep s).step(nodeFrom, nodeTo)
|
||||
any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
|
||||
}
|
||||
|
||||
predicate isBarrierIn(DataFlow::Node node) {
|
||||
|
||||
@@ -14,9 +14,9 @@
|
||||
*/
|
||||
|
||||
import rust
|
||||
import codeql.rust.security.CleartextLoggingExtensions
|
||||
import codeql.rust.dataflow.DataFlow
|
||||
import codeql.rust.dataflow.TaintTracking
|
||||
import codeql.rust.security.CleartextLoggingExtensions
|
||||
|
||||
/**
|
||||
* A taint-tracking configuration for cleartext logging vulnerabilities.
|
||||
|
||||
@@ -13,9 +13,9 @@
|
||||
*/
|
||||
|
||||
import rust
|
||||
import codeql.rust.security.WeakSensitiveDataHashingExtensions
|
||||
import codeql.rust.dataflow.DataFlow
|
||||
import codeql.rust.dataflow.TaintTracking
|
||||
import codeql.rust.security.WeakSensitiveDataHashingExtensions
|
||||
|
||||
/**
|
||||
* Provides a taint-tracking configuration for detecting use of a broken or weak
|
||||
|
||||
@@ -15,12 +15,14 @@ private import codeql.rust.Diagnostics
|
||||
private import codeql.rust.security.SensitiveData
|
||||
private import TaintReach
|
||||
// import all query extensions files, so that all extensions of `QuerySink` are found
|
||||
private import codeql.rust.security.regex.RegexInjectionExtensions
|
||||
private import codeql.rust.security.AccessInvalidPointerExtensions
|
||||
private import codeql.rust.security.CleartextLoggingExtensions
|
||||
private import codeql.rust.security.CleartextTransmissionExtensions
|
||||
private import codeql.rust.security.SqlInjectionExtensions
|
||||
private import codeql.rust.security.WeakSensitiveDataHashingExtensions
|
||||
private import codeql.rust.security.TaintedPathExtensions
|
||||
private import codeql.rust.security.UncontrolledAllocationSizeExtensions
|
||||
private import codeql.rust.security.regex.RegexInjectionExtensions
|
||||
private import codeql.rust.security.WeakSensitiveDataHashingExtensions
|
||||
|
||||
/**
|
||||
* Gets a count of the total number of lines of code in the database.
|
||||
|
||||
Reference in New Issue
Block a user