From e9a071032cd3cbd2e6e265e0056b5c0f7bcab6f6 Mon Sep 17 00:00:00 2001 From: Paolo Tranquilli Date: Tue, 17 Jun 2025 11:19:59 +0200 Subject: [PATCH] Rust: address review on docs --- .../analyzing-data-flow-in-rust.rst | 49 ++++++------------- .../codeql-for-rust.rst | 2 +- .../codeql-library-for-rust.rst | 6 +-- 3 files changed, 19 insertions(+), 38 deletions(-) diff --git a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst index 3eab09126f3..a68dc08a22b 100644 --- a/docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst +++ b/docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst @@ -23,10 +23,9 @@ Using local data flow ~~~~~~~~~~~~~~~~~~~~~ You can use the local data flow library by importing the ``codeql.rust.dataflow.DataFlow`` module. The library uses the class ``Node`` to represent any element through which data can flow. -``Node``\ s are divided into expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``). -You can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate. -Similarly, you can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library. - +Common ``Node`` types include expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``). +You can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library. +Similarly, you can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate. .. code-block:: ql class Node { @@ -39,22 +38,8 @@ Similarly, you can use the ``asExpr`` member predicate to map a data flow ``Expr ... } -You can use the predicates ``exprNode`` and ``parameterNode`` to map from expressions and parameters to their data-flow node: - -.. code-block:: ql - - /** - * Gets a node corresponding to expression `e`. - */ - ExprNode exprNode(CfgNodes::ExprCfgNode e) { ... } - - /** - * Gets the node corresponding to the value of parameter `p` at function entry. - */ - ParameterNode parameterNode(Parameter p) { ... } - -Note that since ``asExpr`` and ``exprNode`` map between data-flow and control-flow nodes, you then need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node, -for example, by writing ``node.asExpr().getExpr()``. +Note that since ``asExpr`` maps from data-flow to control-flow nodes, you then need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node, +for example by writing ``node.asExpr().getExpr()``. A control-flow graph considers every way control can flow through code, consequently, there can be multiple data-flow and control-flow nodes associated with a single expression node in the AST. The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``. @@ -207,11 +192,7 @@ The global taint tracking library uses the same configuration module as the glob Predefined sources ~~~~~~~~~~~~~~~~~~ -The data flow library module ``codeql.rust.dataflow.FlowSources`` contains a number of predefined sources that you can use to write security queries to track data flow and taint flow. - -- The class ``RemoteFlowSource`` represents data flow from remote network inputs and from other applications. -- The class ``LocalFlowSource`` represents data flow from local user input. -- The class ``FlowSource`` includes both of the above. +The library module ``codeql.rust.Concepts`` contains a number of predefined sources and sinks that you can use to write security queries to track data flow and taint flow. Examples of global data flow ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ @@ -229,16 +210,16 @@ The following global taint-tracking query finds places where a string literal is import codeql.rust.dataflow.TaintTracking module ConstantPasswordConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr } + predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr } - predicate isSink(DataFlow::Node node) { - // any argument going to a parameter called `password` - exists(Function f, CallExpr call, int index | - call.getArg(index) = node.asExpr().getExpr() and - call.getStaticTarget() = f and - f.getParam(index).getPat().(IdentPat).getName().getText() = "password" - ) - } + predicate isSink(DataFlow::Node node) { + // any argument going to a parameter called `password` + exists(Function f, CallExpr call, int index | + call.getArg(index) = node.asExpr().getExpr() and + call.getStaticTarget() = f and + f.getParam(index).getPat().(IdentPat).getName().getText() = "password" + ) + } } module ConstantPasswordFlow = TaintTracking::Global; diff --git a/docs/codeql/codeql-language-guides/codeql-for-rust.rst b/docs/codeql/codeql-language-guides/codeql-for-rust.rst index c8262208cf5..a2c5bb98724 100644 --- a/docs/codeql/codeql-language-guides/codeql-for-rust.rst +++ b/docs/codeql/codeql-language-guides/codeql-for-rust.rst @@ -13,4 +13,4 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat analyzing-data-flow-in-rust - :doc:`CodeQL library for Rust `: When you're analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust. -- :doc:`Analyzing data flow in Ruby `: You can use CodeQL to track the flow of data through a Rust program to places where the data is used. +- :doc:`Analyzing data flow in Rust `: You can use CodeQL to track the flow of data through a Rust program to places where the data is used. diff --git a/docs/codeql/codeql-language-guides/codeql-library-for-rust.rst b/docs/codeql/codeql-language-guides/codeql-library-for-rust.rst index dd25d769692..348490e22dd 100644 --- a/docs/codeql/codeql-language-guides/codeql-library-for-rust.rst +++ b/docs/codeql/codeql-language-guides/codeql-library-for-rust.rst @@ -12,14 +12,14 @@ CodeQL ships with a library for analyzing Rust code. The classes in this library abstractions and predicates to help you with common analysis tasks. The library is implemented as a set of CodeQL modules, that is, files with the extension ``.qll``. The -module `rust.qll `__ imports most other standard library modules, so you can include the complete -library by beginning your query with: +module `rust.qll `__ imports most other standard library modules, so you can include them +by beginning your query with: .. code-block:: ql import rust -The CodeQL libraries model various aspects of Rust code. The above import includes the abstract syntax tree (AST) library, which is used for locating program elements, +The CodeQL libraries model various aspects of Rust code. The above import includes the abstract syntax tree (AST) library, which is used for locating program elements to match syntactic elements in the source code. This can be used for example to find values, patterns and structures. The control flow graph (CFG) is imported using