mirror of
https://github.com/github/codeql.git
synced 2026-04-24 00:05:14 +02:00
Merge pull request #21563 from owen-mc/rust/allow-mad-barriers
Rust: Enable MaD barriers for queries with MaD sinks
This commit is contained in:
Owen Mansel-Chan
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSource
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
@@ -69,6 +70,13 @@ module AccessInvalidPointer {
|
||||
ModelsAsDataSink() { sinkNode(this, "pointer-access") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for invalid pointer access from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "pointer-access") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for invalid pointer access vulnerabilities for values checked to
|
||||
* be non-`null`.
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.security.SensitiveData
|
||||
private import codeql.rust.Concepts
|
||||
@@ -44,6 +45,13 @@ module CleartextLogging {
|
||||
ModelsAsDataSink() { sinkNode(this, "log-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for logging from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
|
||||
}
|
||||
|
||||
private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { }
|
||||
|
||||
private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier
|
||||
|
||||
@@ -45,4 +45,11 @@ module CleartextStorageDatabase {
|
||||
private class ModelsAsDataSink extends Sink {
|
||||
ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for cleartext storage vulnerabilities from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
private import codeql.util.Unit
|
||||
private import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.security.SensitiveData
|
||||
private import codeql.rust.Concepts
|
||||
@@ -55,4 +56,11 @@ module CleartextTransmission {
|
||||
private class ModelsAsDataSink extends Sink {
|
||||
ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier defined through MaD.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.rust.dataflow.internal.Node as Node
|
||||
@@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions {
|
||||
override string getSinkType() { result = "DisabledCertificateCheck" }
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow barrier for disabled certificate check vulnerabilities.
|
||||
*/
|
||||
abstract class Barrier extends DataFlow::Node { }
|
||||
|
||||
/**
|
||||
* A sink for disabled certificate check vulnerabilities from model data.
|
||||
*/
|
||||
@@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions {
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for disabled certificate check vulnerabilities from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSource
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
@@ -130,6 +131,19 @@ module HardcodedCryptographicValue {
|
||||
override CryptographicValueKind getKind() { result = kind }
|
||||
}
|
||||
|
||||
/**
|
||||
* An externally modeled barrier for hard-coded cryptographic value vulnerabilities.
|
||||
*
|
||||
* Note that a barrier will block flow to all hard-coded cryptographic value
|
||||
* sinks, regardless of the `kind` that is specified. For example a barrier of
|
||||
* kind `credentials-key` will block flow to a sink of kind `credentials-iv`.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() {
|
||||
exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind))
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `getrandom` that is a barrier.
|
||||
*/
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSource
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
@@ -48,6 +49,13 @@ module InsecureCookie {
|
||||
ModelsAsDataSink() { sinkNode(this, "cookie-use") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for insecure cookie vulnerabilities from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "cookie-use") }
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`,
|
||||
* with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example,
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.util.Unit
|
||||
@@ -44,6 +45,13 @@ module LogInjection {
|
||||
ModelsAsDataSink() { sinkNode(this, "log-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for log-injection from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "log-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for log injection vulnerabilities for nodes whose type is a
|
||||
* numeric type, which is unlikely to expose any vulnerability.
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.dataflow.FlowSource
|
||||
private import codeql.rust.Concepts
|
||||
@@ -46,4 +47,11 @@ module RequestForgery {
|
||||
private class ModelsAsDataSink extends Sink {
|
||||
ModelsAsDataSink() { sinkNode(this, "request-url") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for request forgery from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "request-url") }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.util.Unit
|
||||
@@ -53,12 +54,19 @@ module SqlInjection {
|
||||
}
|
||||
|
||||
/**
|
||||
* A sink for sql-injection from model data.
|
||||
* A sink for SQL injection from model data.
|
||||
*/
|
||||
private class ModelsAsDataSink extends Sink {
|
||||
ModelsAsDataSink() { sinkNode(this, "sql-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for SQL injection from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "sql-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for SQL injection vulnerabilities for nodes whose type is a numeric
|
||||
* type, which is unlikely to expose any vulnerability.
|
||||
|
||||
@@ -47,6 +47,11 @@ module TaintedPath {
|
||||
private class ModelsAsDataSinks extends Sink {
|
||||
ModelsAsDataSinks() { sinkNode(this, "path-injection") }
|
||||
}
|
||||
|
||||
/** A barrier for path-injection from model data. */
|
||||
private class ModelsAsDataBarriers extends Barrier {
|
||||
ModelsAsDataBarriers() { barrierNode(this, "path-injection") }
|
||||
}
|
||||
}
|
||||
|
||||
private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) {
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
import rust
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
|
||||
/**
|
||||
@@ -32,6 +33,13 @@ module UncontrolledAllocationSize {
|
||||
ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for uncontrolled allocation size from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for uncontrolled allocation size that is an upper bound check / guard.
|
||||
*/
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
|
||||
@@ -59,4 +60,11 @@ module UseOfHttp {
|
||||
private class ModelsAsDataSink extends Sink {
|
||||
ModelsAsDataSink() { sinkNode(this, "request-url") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for use of HTTP URLs from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "request-url") }
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,7 @@
|
||||
|
||||
import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.util.Unit
|
||||
@@ -44,6 +45,13 @@ module Xss {
|
||||
ModelsAsDataSink() { sinkNode(this, "html-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for XSS from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "html-injection") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for XSS vulnerabilities for nodes whose type is a
|
||||
* numeric or boolean type, which is unlikely to expose any vulnerability.
|
||||
|
||||
@@ -6,6 +6,7 @@
|
||||
private import codeql.util.Unit
|
||||
private import rust
|
||||
private import codeql.rust.dataflow.DataFlow
|
||||
private import codeql.rust.dataflow.FlowBarrier
|
||||
private import codeql.rust.dataflow.FlowSink
|
||||
private import codeql.rust.Concepts
|
||||
private import codeql.rust.security.Barriers as Barriers
|
||||
@@ -69,6 +70,13 @@ module RegexInjection {
|
||||
ModelsAsDataSink() { sinkNode(this, "regex-use") }
|
||||
}
|
||||
|
||||
/**
|
||||
* A barrier for regular expression injection from model data.
|
||||
*/
|
||||
private class ModelsAsDataBarrier extends Barrier {
|
||||
ModelsAsDataBarrier() { barrierNode(this, "regex-use") }
|
||||
}
|
||||
|
||||
/**
|
||||
* An escape barrier for regular expression injection vulnerabilities.
|
||||
*/
|
||||
|
||||
@@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig {
|
||||
|
||||
predicate isSink(DataFlow::Node node) { node instanceof Sink }
|
||||
|
||||
predicate isBarrier(DataFlow::Node node) { node instanceof Barrier }
|
||||
|
||||
predicate observeDiffInformedIncrementalMode() { any() }
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user