diff --git a/rust/ql/lib/codeql/rust/internal/Type.qll b/rust/ql/lib/codeql/rust/internal/Type.qll index ccf5c7543639..9cfa173c1a97 100644 --- a/rust/ql/lib/codeql/rust/internal/Type.qll +++ b/rust/ql/lib/codeql/rust/internal/Type.qll @@ -140,6 +140,9 @@ class EnumType extends Type, TEnum { EnumType() { this = TEnum(enum) } + /** Gets the enum that this enum type represents. */ + Enum getEnum() { result = enum } + override TypeParameter getPositionalTypeParameter(int i) { result = TTypeParamTypeParameter(enum.getGenericParamList().getTypeParam(i)) } diff --git a/rust/ql/lib/codeql/rust/security/Barriers.qll b/rust/ql/lib/codeql/rust/security/Barriers.qll index fbe3691b4123..845a689af11a 100644 --- a/rust/ql/lib/codeql/rust/security/Barriers.qll +++ b/rust/ql/lib/codeql/rust/security/Barriers.qll @@ -1,5 +1,5 @@ /** - * Classes to represent barriers commonly used in dataflow and taint tracking + * Classes to represent barriers commonly used in data flow and taint tracking * configurations. */ @@ -11,35 +11,33 @@ private import codeql.rust.controlflow.ControlFlowGraph as Cfg private import codeql.rust.controlflow.CfgNodes as CfgNodes private import codeql.rust.frameworks.stdlib.Builtins as Builtins -/** - * A node whose type is a numeric or boolean type, which may be an appropriate - * taint flow barrier for some queries. - */ +/** A node whose type is a numeric type. */ class NumericTypeBarrier extends DataFlow::Node { NumericTypeBarrier() { - exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr()) and - s = t.getStruct() - | - s instanceof Builtins::NumericType or - s instanceof Builtins::Bool - ) + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof + Builtins::NumericType } } -/** - * A node whose type is an integral (integer) or boolean type, which may be an - * appropriate taint flow barrier for some queries. - */ -class IntegralOrBooleanTypeBarrier extends DataFlow::Node { - IntegralOrBooleanTypeBarrier() { - exists(StructType t, Struct s | - t = TypeInference::inferType(this.asExpr()) and - s = t.getStruct() - | - s instanceof Builtins::IntegralType or - s instanceof Builtins::Bool - ) +/** A node whose type is `bool`. */ +class BooleanTypeBarrier extends DataFlow::Node { + BooleanTypeBarrier() { + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof Builtins::Bool + } +} + +/** A node whose type is an integral (integer). */ +class IntegralTypeBarrier extends DataFlow::Node { + IntegralTypeBarrier() { + TypeInference::inferType(this.asExpr()).(StructType).getStruct() instanceof + Builtins::IntegralType + } +} + +/** A node whose type is a fieldless enum. */ +class FieldlessEnumTypeBarrier extends DataFlow::Node { + FieldlessEnumTypeBarrier() { + TypeInference::inferType(this.asExpr()).(EnumType).getEnum().isFieldless() } } diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll index 0961efd553fd..f634992fb81e 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll @@ -8,6 +8,7 @@ private import codeql.rust.dataflow.DataFlow private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts +private import codeql.rust.security.Barriers as Barriers /** * Provides default sources, sinks and barriers for detecting cleartext logging @@ -42,4 +43,9 @@ module CleartextLogging { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index dafebc96731e..8ef4f64182ad 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -49,4 +49,9 @@ module LogInjection { * numeric or boolean type, which is unlikely to expose any vulnerability. */ private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index ff81df37e405..d82065ec5edf 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -64,4 +64,9 @@ module SqlInjection { * boolean type, which is unlikely to expose any vulnerability. */ private class NumericTypeBarrier extends Barrier instanceof Barriers::NumericTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } + + private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier + { } } diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 7c445bcbfd89..b6bd0cd899e5 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -94,6 +94,7 @@ module RegexInjection { * We don't include floating point types in this barrier, as `.` is a special character * in regular expressions. */ - private class IntegralOrBooleanTypeBarrier extends Barrier instanceof Barriers::IntegralOrBooleanTypeBarrier - { } + private class IntegralTypeBarrier extends Barrier instanceof Barriers::IntegralTypeBarrier { } + + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } }