From 9409cd6ed7d0f9ee2fb3d863dda9df48831837f0 Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Wed, 5 Feb 2025 18:32:43 +0000 Subject: [PATCH] Rust: Prototype query. --- .../UncontrolledAllocationSizeExtensions.qll | 34 ++++++++++++++ .../CWE-770/UncontrolledAllocationSize.ql | 44 +++++++++++++++++++ .../UncontrolledAllocationSize.expected | 4 ++ 3 files changed, 82 insertions(+) create mode 100644 rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll create mode 100644 rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll new file mode 100644 index 00000000000..bb0ffbb4e3c --- /dev/null +++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll @@ -0,0 +1,34 @@ +/** + * Provides classes and predicates for reasoning about uncontrolled allocation + * size vulnerabilities. + */ + +import rust +private import codeql.rust.Concepts +private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowSink + +/** + * Provides default sources, sinks and barriers for detecting uncontrolled + * allocation size vulnerabilities, as well as extension points for adding your own. + */ +module UncontrolledAllocationSize { + /** + * A data flow sink for uncontrolled allocation size vulnerabilities. + */ + abstract class Sink extends QuerySink::Range { + override string getSinkType() { result = "UncontrolledAllocationSize" } + } + + /** + * A barrier for uncontrolled allocation size vulnerabilities. + */ + abstract class Barrier extends DataFlow::Node { } + + /** + * sink for uncontrolled allocation size from model data. + */ + private class ModelsAsDataSink extends Sink { + ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) } + } +} diff --git a/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql b/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql new file mode 100644 index 00000000000..bbaaaf06a02 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql @@ -0,0 +1,44 @@ +/** + * @name Uncontrolled allocation size + * @description Allocating memory with a size controlled by an external user can result in + * arbitrary amounts of memory being allocated. + * @kind path-problem + * @problem.severity recommendation + * @security-severity 7.5 + * @precision high + * @id rust/uncontrolled-allocation-size + * @tags reliability + * security + * external/cwe/cwe-770 + * external/cwe/cwe-789 + */ + +import rust +import codeql.rust.Concepts +import codeql.rust.dataflow.DataFlow +import codeql.rust.dataflow.TaintTracking +import codeql.rust.dataflow.internal.DataFlowImpl +import codeql.rust.security.UncontrolledAllocationSizeExtensions + +/** + * A taint-tracking configuration for uncontrolled allocation size vulnerabilities. + */ +module UncontrolledAllocationConfig implements DataFlow::ConfigSig { + import UncontrolledAllocationSize + + predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource } + + predicate isSink(DataFlow::Node sink) { sink instanceof Sink } + + predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier } +} + +module UncontrolledAllocationFlow = TaintTracking::Global; + +import UncontrolledAllocationFlow::PathGraph + +from UncontrolledAllocationFlow::PathNode source, UncontrolledAllocationFlow::PathNode sink +where UncontrolledAllocationFlow::flowPath(source, sink) +select sink.getNode(), source, sink, + "This allocation size is derived from a $@ and could allocate arbitrary amounts of memory.", + source.getNode(), "user-provided value" diff --git a/rust/ql/test/query-tests/security/CWE-770/UncontrolledAllocationSize.expected b/rust/ql/test/query-tests/security/CWE-770/UncontrolledAllocationSize.expected index e69de29bb2d..58f42bec0c8 100644 --- a/rust/ql/test/query-tests/security/CWE-770/UncontrolledAllocationSize.expected +++ b/rust/ql/test/query-tests/security/CWE-770/UncontrolledAllocationSize.expected @@ -0,0 +1,4 @@ +#select +edges +nodes +subpaths