Rust: Initial version of the query.

2026-04-23 15:55:18 +02:00 · 2025-03-13 17:04:48 +00:00
parent a139b3734c
commit dcd016f5be
7 changed files with 144 additions and 6 deletions
--- a/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
+++ b/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
@@ -0,0 +1,35 @@
+/**
+ * @name Access of invalid pointer
+ * @description Dereferencing an invalid or dangling pointer is undefined behavior and may cause memory corruption.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity TODO
+ * @precision TODO
+ * @id rust/access-invalid-pointer
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-476
+ *       external/cwe/cwe-825
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.security.AccessInvalidPointerExtensions
+import AccessInvalidPointerFlow::PathGraph
+
+/**
+ * A data flow configuration for accesses to invalid pointers.
+ */
+module AccessInvalidPointerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { node instanceof AccessInvalidPointer::Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof AccessInvalidPointer::Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof AccessInvalidPointer::Barrier }
+}
+
+module AccessInvalidPointerFlow = DataFlow::Global<AccessInvalidPointerConfig>;
+
+from AccessInvalidPointerFlow::PathNode sourceNode, AccessInvalidPointerFlow::PathNode sinkNode
+where AccessInvalidPointerFlow::flowPath(sourceNode, sinkNode)
+select sinkNode.getNode(), sourceNode, sinkNode, "This operation dereferences a pointer that may be $@.", sourceNode.getNode(), "invalid"
--- a/rust/ql/src/queries/summary/Stats.qll
+++ b/rust/ql/src/queries/summary/Stats.qll
@@ -12,6 +12,7 @@ private import codeql.rust.controlflow.internal.CfgConsistency as CfgConsistency
 private import codeql.rust.dataflow.internal.DataFlowConsistency as DataFlowConsistency
 private import codeql.rust.Concepts
 // import all query extensions files, so that all extensions of `QuerySink` are found
+private import codeql.rust.security.AccessInvalidPointerExtensions
 private import codeql.rust.security.CleartextLoggingExtensions
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.WeakSensitiveDataHashingExtensions