hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Rust: add documentation

Browse Source
This commit is contained in:
Paolo Tranquilli
2025-06-06 16:19:20 +02:00
parent c70decbe86
commit f3e4f94e81
13 changed files with 410 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

300
docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst Normal file
View File

@@ -0,0 +1,300 @@
.. _analyzing-data-flow-in-rust:
Analyzing data flow in Rust
=============================
You can use CodeQL to track the flow of data through a Rust program to places where the data is used.
About this article
------------------
This article describes how data flow analysis is implemented in the CodeQL libraries for Rust and includes examples to help you write your own data flow queries.
The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking.
For a more general introduction to modeling data flow, see ":ref:`About data flow analysis <about-data-flow-analysis>`."
.. include:: ../reusables/new-data-flow-api.rst
Local data flow
---------------
Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before looking at more complex tracking, you should always consider local tracking because it is sufficient for many queries.
Using local data flow
~~~~~~~~~~~~~~~~~~~~~
You can use the local data flow library by importing the ``codeql.rust.dataflow.DataFlow`` module. The library uses the class ``Node`` to represent any element through which data can flow.
``Node``\ s are divided into expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``).
You can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate.
Similarly, you can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library.
.. code-block:: ql
class Node {
/** Gets the expression corresponding to this node, if any. */
CfgNodes::ExprCfgNode asExpr() { ... }
/** Gets the parameter corresponding to this node, if any. */
Parameter asParameter() { ... }
...
}
You can use the predicates ``exprNode`` and ``parameterNode`` to map from expressions and parameters to their data-flow node:
.. code-block:: ql
/**
* Gets a node corresponding to expression `e`.
*/
ExprNode exprNode(CfgNodes::ExprCfgNode e) { ... }
/**
* Gets the node corresponding to the value of parameter `p` at function entry.
*/
ParameterNode parameterNode(Parameter p) { ... }
Note that since ``asExpr`` and ``exprNode`` map between data-flow and control-flow nodes, you then need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node,
for example, by writing ``node.asExpr().getExpr()``.
A control-flow graph considers every way control can flow through code, consequently, there can be multiple data-flow and control-flow nodes associated with a single expression node in the AST.
The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``.
You can apply the predicate recursively, by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.
For example, you can find flow from an expression ``source`` to an expression ``sink`` in zero or more local steps:
.. code-block:: ql
DataFlow::localFlow(source, sink)
Using local taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~
Local taint tracking extends local data flow to include flow steps where values are not preserved, for example, string manipulation.
For example:
.. code-block:: rust
let y: String = "Hello ".to_owned() + x
If ``x`` is a tainted string then ``y`` is also tainted.
The local taint tracking library is in the module ``TaintTracking``.
Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``.
You can apply the predicate recursively, by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localTaint``.
For example, you can find taint propagation from an expression ``source`` to an expression ``sink`` in zero or more local steps:
.. code-block:: ql
TaintTracking::localTaint(source, sink)
Using local sources
~~~~~~~~~~~~~~~~~~~
When exploring local data flow or taint propagation between two expressions as above, you would normally constrain the expressions to be relevant to your investigation.
The next section gives some concrete examples, but first it's helpful to introduce the concept of a local source.
A local source is a data-flow node with no local data flow into it.
As such, it is a local origin of data flow, a place where a new value is created.
This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
It comes with a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.
Examples of local data flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~
This query finds the argument passed in each call to ``File::create``:
.. code-block:: ql
import rust
from CallExpr call
where call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create"
select call.getArg(0)
Unfortunately this will only give the expression in the argument, not the values which could be passed to it.
So we use local data flow to find all expressions that flow into the argument:
.. code-block:: ql
import rust
import codeql.rust.dataflow.DataFlow
from CallExpr call, DataFlow::ExprNode source, DataFlow::ExprNode sink
where
call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create" and
sink.asExpr().getExpr() = call.getArg(0) and
DataFlow::localFlow(source, sink)
select source, sink
We can vary the source, for example, making the source the parameter of a function rather than an expression. The following query finds where a parameter is used for the file creation:
.. code-block:: ql
import rust
import codeql.rust.dataflow.DataFlow
from CallExpr call, Method method, ParamDecl sourceParam, Expr sinkExpr
where
call.getStaticTarget() = method and
method.hasQualifiedName("String", "init(format:_:)") and
sinkExpr = call.getArgument(0).getExpr() and
DataFlow::localFlow(DataFlow::parameterNode(sourceParam), DataFlow::exprNode(sinkExpr))
select sourceParam, sinkExpr
The following example finds calls to ``String.init(format:_:)`` where the format string is not a hard-coded string literal:
.. code-block:: ql
import rust
import codeql.rust.dataflow.DataFlow
from CallExpr call, Method method, DataFlow::Node sinkNode
where
call.getStaticTarget() = method and
method.hasQualifiedName("String", "init(format:_:)") and
sinkNode.asExpr() = call.getArgument(0).getExpr() and
not exists(StringLiteralExpr sourceLiteral |
DataFlow::localFlow(DataFlow::exprNode(sourceLiteral), sinkNode)
)
select call, "Format argument to " + method.getName() + " isn't hard-coded."
Global data flow
----------------
Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow.
However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform.
.. pull-quote:: Note
.. include:: ../reusables/path-problem.rst
Using global data flow
~~~~~~~~~~~~~~~~~~~~~~
We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:
.. code-block:: ql
import codeql.rust.dataflow.DataFlow
module MyDataFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
...
}
predicate isSink(DataFlow::Node sink) {
...
}
}
module MyDataFlow = DataFlow::Global<MyDataFlowConfiguration>;
These predicates are defined in the configuration:
- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.
The last line (``module MyDataFlow = ...``) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using ``MyDataFlow::flow(DataFlow::Node source, DataFlow::Node sink)``:
.. code-block:: ql
from DataFlow::Node source, DataFlow::Node sink
where MyDataFlow::flow(source, sink)
select source, "Dataflow to $@.", sink, sink.toString()
Using global taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Global taint tracking is to global data flow what local taint tracking is to local data flow.
That is, global taint tracking extends global data flow with additional non-value-preserving steps.
The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using ``TaintTracking::Global``:
.. code-block:: ql
module MyTaintFlow = TaintTracking::Global<MyDataFlowConfiguration>;
from DataFlow::Node source, DataFlow::Node sink
where MyTaintFlow::flow(source, sink)
select source, "Taint flow to $@.", sink, sink.toString()
Predefined sources
~~~~~~~~~~~~~~~~~~
The data flow library module ``codeql.rust.dataflow.FlowSources`` contains a number of predefined sources that you can use to write security queries to track data flow and taint flow.
- The class ``RemoteFlowSource`` represents data flow from remote network inputs and from other applications.
- The class ``LocalFlowSource`` represents data flow from local user input.
- The class ``FlowSource`` includes both of the above.
Examples of global data flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following global taint-tracking query finds places where a string literal is used in a function call argument named "password".
- Since this is a taint-tracking query, the ``TaintTracking::Global`` module is used.
- The ``isSource`` predicate defines sources as any ``StringLiteralExpr``.
- The ``isSink`` predicate defines sinks as arguments to a ``CallExpr`` called "password".
- The sources and sinks may need tuning to a particular use, for example, if passwords are represented by a type other than ``String`` or passed in arguments of a different name than "password".
.. code-block:: ql
import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
module ConstantPasswordConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node.asExpr() instanceof StringLiteralExpr }
predicate isSink(DataFlow::Node node) {
// any argument called `password`
exists(CallExpr call | call.getArgumentWithLabel("password").getExpr() = node.asExpr())
}
module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where ConstantPasswordFlow::flow(sourceNode, sinkNode)
select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString()
The following global taint-tracking query finds places where a value from a remote or local user input is used as an argument to the SQLite ``Connection.execute(_:)`` function.
- Since this is a taint-tracking query, the ``TaintTracking::Global`` module is used.
- The ``isSource`` predicate defines sources as a ``FlowSource`` (remote or local user input).
- The ``isSink`` predicate defines sinks as the first argument in any call to ``Connection.execute(_:)``.
.. code-block:: ql
import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking
import codeql.rust.dataflow.FlowSources
module SqlInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
predicate isSink(DataFlow::Node node) {
exists(CallExpr call |
call.getStaticTarget().(Method).hasQualifiedName("Connection", "execute(_:)") and
call.getArgument(0).getExpr() = node.asExpr()
)
}
}
module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;
from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where SqlInjectionFlow::flow(sourceNode, sinkNode)
select sinkNode, "This query depends on a $@.", sourceNode, "user-provided value"
Further reading
---------------
- `Exploring data flow with path queries <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries>`__ in the GitHub documentation.
.. include:: ../reusables/rust-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst

16
docs/codeql/codeql-language-guides/codeql-for-rust.rst Normal file
View File

@@ -0,0 +1,16 @@
.. _codeql-for-rust:
CodeQL for Rust
=========================
Experiment and learn how to write effective and efficient queries for CodeQL databases generated from Rust code.
.. toctree::
:hidden:
codeql-library-for-rust
analyzing-data-flow-in-rust
- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When you're analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
- :doc:`Analyzing data flow in Ruby <analyzing-data-flow-in-rust>`: You can use CodeQL to track the flow of data through a Rust program to places where the data is used.

62
docs/codeql/codeql-language-guides/codeql-library-for-rust.rst Normal file
View File

@@ -0,0 +1,62 @@
.. _codeql-library-for-rust:
CodeQL library for Rust
=================================
When you're analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
Overview
--------
CodeQL ships with a library for analyzing Rust code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide
abstractions and predicates to help you with common analysis tasks.
The library is implemented as a set of CodeQL modules, that is, files with the extension ``.qll``. The
module `rust.qll <https://github.com/github/codeql/blob/main/rust/ql/lib/rust.qll>`__ imports most other standard library modules, so you can include the complete
library by beginning your query with:
.. code-block:: ql
import rust
The CodeQL libraries model various aspects of Rust code. The above import includes the abstract syntax tree (AST) library, which is used for locating program elements,
to match syntactic elements in the source code. This can be used for example to find values, patterns and structures.
The control flow graph (CFG) is imported using
.. code-block:: ql
import codeql.rust.controlflow.ControlFlowGraph
The CFG models the control flow between statements and expressions, for example whether one expression can
be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
expression must flow through another expression first.
The data flow library is imported using
.. code-block:: ql
import codeql.rust.dataflow.DataFlow
Data flow tracks the flow of data through the program, including through function calls (interprocedural data flow) and between steps in a job or workflow.
Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program
to exploit it. Related to data flow, is the taint-tracking library, which finds how data can *influence* other values
in a program, even when it is not copied exactly.
To summarize, the main Rust library modules are:
.. list-table:: Main Rust library modules
:header-rows: 1
* - Import
- Description
* - ``rust``
- The standard Rust library
* - ``codeql.rust.elements``
- The abstract syntax tree library (also imported by `rust.qll`)
* - ``codeql.rust.controlflow.ControlFlowGraph``
- The control flow graph library
* - ``codeql.rust.dataflow.DataFlow``
- The data flow library
* - ``codeql.rust.dataflow.TaintTracking``
- The taint tracking library

1
docs/codeql/codeql-language-guides/index.rst
View File

@@ -15,4 +15,5 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
codeql-for-javascript
codeql-for-python
codeql-for-ruby
codeql-for-rust
codeql-for-swift

2
docs/codeql/codeql-overview/codeql-tools.rst
View File

@@ -39,6 +39,8 @@ maintained by GitHub are:
- ``codeql/python-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib>`__)
- ``codeql/ruby-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src>`__)
- ``codeql/ruby-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib>`__)
- ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__)
- ``codeql/rust-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib>`__)
- ``codeql/swift-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src>`__)
- ``codeql/swift-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib>`__)

2
docs/codeql/query-help/codeql-cwe-coverage.rst
View File

@@ -35,5 +35,5 @@ Note that the CWE coverage includes both "`supported queries <https://github.com
javascript-cwe
python-cwe
ruby-cwe
rust-cwe
swift-cwe

2
docs/codeql/query-help/index.rst
View File

@@ -11,6 +11,7 @@ View the query help for the queries included in the ``default``, ``security-exte
- :doc:`CodeQL query help for JavaScript and TypeScript <javascript>`
- :doc:`CodeQL query help for Python <python>`
- :doc:`CodeQL query help for Ruby <ruby>`
- :doc:`CodeQL query help for Rust <rust>`
- :doc:`CodeQL query help for Swift <swift>`
.. pull-quote:: Information
@@ -37,5 +38,6 @@ For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE cove
javascript
python
ruby
rust
swift
codeql-cwe-coverage

7
docs/codeql/query-help/rust-cwe.md Normal file
View File

@@ -0,0 +1,7 @@
# CWE coverage for Rust
An overview of CWE coverage for Rust in the latest release of CodeQL.
## Overview
<!-- autogenerated CWE coverage table will be added below -->

8
docs/codeql/query-help/rust.rst Normal file
View File

@@ -0,0 +1,8 @@
CodeQL query help for Rust
============================
.. include:: ../reusables/query-help-overview.rst
These queries are published in the CodeQL query pack ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__).
.. include:: toc-rust.rst

8
docs/codeql/reusables/extractors.rst
View File

@@ -6,9 +6,9 @@
- Identifier
* - GitHub Actions
- ``actions``
* - C/C++
* - C/C++
- ``cpp``
* - C#
* - C#
- ``csharp``
* - Go
- ``go``
@@ -20,5 +20,7 @@
- ``python``
* - Ruby
- ``ruby``
- Rust
- ``rust``
* - Swift
- ``swift``
- ``swift``

2
docs/codeql/reusables/rust-further-reading.rst Normal file
View File

@@ -0,0 +1,2 @@
- `CodeQL queries for Rust <https://github.com/github/codeql/tree/main/rust/ql/src>`__
- `CodeQL library reference for Rust <https://codeql.github.com/codeql-standard-libraries/rust/>`__

1
docs/codeql/writing-codeql-queries/about-codeql-queries.rst
View File

@@ -79,6 +79,7 @@ When writing your own alert queries, you would typically import the standard lib
- :ref:`CodeQL library guide for JavaScript <codeql-library-for-javascript>`
- :ref:`CodeQL library guide for Python <codeql-library-for-python>`
- :ref:`CodeQL library guide for Ruby <codeql-library-for-ruby>`
- :ref:`CodeQL library guide for Rust <codeql-library-for-rust>`
- :ref:`CodeQL library guide for TypeScript <codeql-library-for-typescript>`
There are also libraries containing commonly used predicates, types, and other modules associated with different analyses, including data flow, control flow, and taint-tracking. In order to calculate path graphs, path queries require you to import a data flow library into the query file. For more information, see ":doc:`Creating path queries <creating-path-queries>`."

5
docs/query-metadata-style-guide.md
View File

@@ -25,6 +25,7 @@ For examples of query files for the languages supported by CodeQL, visit the fol
* [JavaScript queries](https://codeql.github.com/codeql-query-help/javascript/)
* [Python queries](https://codeql.github.com/codeql-query-help/python/)
* [Ruby queries](https://codeql.github.com/codeql-query-help/ruby/)
* [Rust queries](https://codeql.github.com/codeql-query-help/rust/)
* [Swift queries](https://codeql.github.com/codeql-query-help/swift/)
## Metadata area
@@ -154,7 +155,7 @@ When you tag a query like this, the associated CWE pages from [MITRE.org](https:
* `@tags maintainability`for queries that detect patterns that make it harder for developers to make changes to the code.
* `@tags reliability`for queries that detect issues that affect whether the code will perform as expected during execution.
Software quality doesn't have as universally-agreed categorization method as security issues like CWE, so we will do our own categorization instead of using tags like CWE.
Software quality doesn't have as universally-agreed categorization method as security issues like CWE, so we will do our own categorization instead of using tags like CWE.
We'll use two "top-level" categories of quality queries, with sub-categories beneath:
@@ -162,7 +163,7 @@ We'll use two "top-level" categories of quality queries, with sub-categories ben
* `@tags readability`for queries that detect confusing patterns that make it harder for developers to read the code.
* `@tags useless-code`-for queries that detect functions that are never used and other instances of unused code
* `@tags complexity`-for queries that detect patterns in the code that lead to unnecesary complexity such as unclear control flow, or high cyclomatic complexity
* `@tags reliability`for queries that detect issues that affect whether the code will perform as expected during execution.
* `@tags correctness`for queries that detect incorrect program behavior or couse result in unintended outcomes.