Skip to content

Rust: Add default taint flow steps #18202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Dec 5, 2024
Merged

Rust: Add default taint flow steps #18202

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f10ffa3
Rust: Add tests for taint flow
paldepind Dec 4, 2024
2ada999
Rust: Include `as` expression in CFG nodes
paldepind Dec 4, 2024
70a296b
Rust: Add string slice taint flow test
paldepind Dec 4, 2024
3004639
Rust: Add default taint flow steps
paldepind Dec 4, 2024
d6ab7d2
Merge branch 'main' into rust-taint
paldepind Dec 4, 2024
5b6ce3e
Merge branch 'main' into rust-taint
paldepind Dec 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions rust/ql/.generated.list
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

72 changes: 72 additions & 0 deletions rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 32 additions & 2 deletions rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,45 @@
private import rust
private import codeql.dataflow.TaintTracking
private import codeql.rust.controlflow.CfgNodes
private import DataFlowImpl
private import codeql.rust.dataflow.FlowSummary
private import FlowSummaryImpl as FlowSummaryImpl
private import DataFlowImpl

module RustTaintTracking implements InputSig<Location, RustDataFlow> {
predicate defaultTaintSanitizer(Node::Node node) { none() }

/**
* Holds if the additional step from `src` to `sink` should be included in all
* Holds if the additional step from `pred` to `succ` should be included in all
* global taint flow configurations.
*/
predicate defaultAdditionalTaintStep(Node::Node src, Node::Node sink, string model) { none() }
predicate defaultAdditionalTaintStep(Node::Node pred, Node::Node succ, string model) {
model = "" and
(
exists(BinaryExprCfgNode binary |
binary.getOperatorName() = ["+", "-", "*", "/", "%", "&", "|", "^", "<<", ">>"] and
pred.asExpr() = [binary.getLhs(), binary.getRhs()] and
succ.asExpr() = binary
)
or
exists(PrefixExprCfgNode prefix |
prefix.getOperatorName() = ["-", "!"] and
pred.asExpr() = prefix.getExpr() and
succ.asExpr() = prefix
)
or
pred.asExpr() = succ.asExpr().(CastExprCfgNode).getExpr()
or
exists(IndexExprCfgNode index |
index.getIndex() instanceof RangeExprCfgNode and
pred.asExpr() = index.getBase() and
succ.asExpr() = index
)
)
or
FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
succ.(Node::FlowSummaryNode).getSummaryNode(), false, model)
}

/**
* Holds if taint flow configurations should allow implicit reads of `c` at sinks
Expand Down
2 changes: 1 addition & 1 deletion rust/ql/lib/codeql/rust/elements/CastExpr.qll
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ private import codeql.rust.elements.internal.generated.CastExpr
module Impl {
// the following QLdoc is generated: if you need to edit it, do it in the schema file
/**
* A cast expression. For example:
* A type cast expression. For example:
* ```rust
* value as u64;
* ```
Expand Down
2 changes: 1 addition & 1 deletion rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rust/ql/test/extractor-tests/generated/.generated_tests.list
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions rust/ql/test/library-tests/dataflow/models/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,16 @@ fn test_identify() {
sink(identity(s)); // $ hasValueFlow=1
}

// has a flow model
fn coerce(_i: i64) -> i64 {
0
}

fn test_coerce() {
let s = source(14);
sink(coerce(s)); // $ hasTaintFlow=14
}

enum MyPosEnum {
A(i64),
B(i64),
Expand Down
Loading
Loading