Skip to content

Rust: update docs #19280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 26 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
00f6d9b
Rust: start preparing documentation changes
Apr 10, 2025
df427f7
Rust: add supported frameworks file
Apr 11, 2025
33c857c
Rust: update supported languages footnote
Apr 11, 2025
e2a86aa
Rust: update supported libraries
redsun82 May 2, 2025
00f4bfd
Rust: add some more supported libraries
redsun82 May 2, 2025
779d06f
Merge branch 'main' into redsun82/rust-doc
redsun82 Jun 6, 2025
c70decb
Rust: add `Callable::getParam` and `CallExprBase::getArg` shortcuts
redsun82 Jun 6, 2025
f3e4f94
Rust: add documentation
redsun82 Jun 6, 2025
9c2fea9
Rust: accept test changes
redsun82 Jun 10, 2025
f647b33
Rust: rerun codegen
redsun82 Jun 10, 2025
48721dc
Merge branch 'main' into redsun82/rust-doc
redsun82 Jun 10, 2025
3fe6ba6
Revert "Rust: add `Callable::getParam` and `CallExprBase::getArg` sho…
redsun82 Jun 10, 2025
b6aa692
Revert "Rust: accept test changes"
redsun82 Jun 10, 2025
02c11b1
Revert "Rust: rerun codegen"
redsun82 Jun 10, 2025
902a421
Rust: fix docs with `getArgList` and `getParamList`
redsun82 Jun 10, 2025
e1e34df
Merge branch 'main' into redsun82/rust-doc
redsun82 Jun 12, 2025
c56a325
Rust: remove now unneeded `get(Arg|Param)List` in the dataflow guide
redsun82 Jun 12, 2025
cae4a04
Rust: update `supported-frameworks.rst`
redsun82 Jun 13, 2025
ad3a5d7
Rust: add public preview change notes
redsun82 Jun 13, 2025
e9a0710
Rust: address review on docs
redsun82 Jun 17, 2025
494d192
Merge branch 'main' into redsun82/rust-doc
redsun82 Jun 18, 2025
e011475
Rust: fix formatting in doc snippet
redsun82 Jun 18, 2025
7a9f23c
Rust: fix `sphinx` error
redsun82 Jun 19, 2025
11af770
Merge branch 'main' into redsun82/rust-doc
redsun82 Jun 19, 2025
f812b64
Rust: address review
redsun82 Jun 19, 2025
9c06a82
Rust: apply suggestions from code review
redsun82 Jun 20, 2025
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
242 changes: 242 additions & 0 deletions docs/codeql/codeql-language-guides/analyzing-data-flow-in-rust.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
.. _analyzing-data-flow-in-rust:

Analyzing data flow in Rust
=============================

You can use CodeQL to track the flow of data through a Rust program to places where the data is used.

About this article
------------------

This article describes how data flow analysis is implemented in the CodeQL libraries for Rust and includes examples to help you write your own data flow queries.
The following sections describe how to use the libraries for local data flow, global data flow, and taint tracking.
For a more general introduction to modeling data flow, see ":ref:`About data flow analysis <about-data-flow-analysis>`."

.. include:: ../reusables/new-data-flow-api.rst

Local data flow
---------------

Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before using more complex tracking, consider local tracking, as it is sufficient for many queries.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before using more complex tracking, consider local tracking, as it is sufficient for many queries.
Local data flow tracks the flow of data within a single method or callable. Local data flow is easier, faster, and more precise than global data flow. Before using more complex tracking, consider local tracking, as it is sufficient for many queries.


Using local data flow
~~~~~~~~~~~~~~~~~~~~~

You can use the local data flow library by importing the ``codeql.rust.dataflow.DataFlow`` module. The library uses the class ``Node`` to represent any element through which data can flow.
Common ``Node`` types include expression nodes (``ExprNode``) and parameter nodes (``ParameterNode``).
You can use the ``asExpr`` member predicate to map a data flow ``ExprNode`` to its corresponding ``ExprCfgNode`` in the control-flow library.
Similarly, you can map a data flow ``ParameterNode`` to its corresponding ``Parameter`` AST node using the ``asParameter`` member predicate.

.. code-block:: ql

class Node {
/**
* Gets the expression corresponding to this node, if any.
*/
CfgNodes::ExprCfgNode asExpr() { ... }

/**
* Gets the parameter corresponding to this node, if any.
*/
Parameter asParameter() { ... }

...
}

Note that because ``asExpr`` maps from data-flow to control-flow nodes, you need to call the ``getExpr`` member predicate on the control-flow node to map to the corresponding AST node. For example, you can write ``node.asExpr().getExpr()``.
A control-flow graph considers every way control can flow through code, consequently, there can be multiple data-flow and control-flow nodes associated with a single expression node in the AST.

The predicate ``localFlowStep(Node nodeFrom, Node nodeTo)`` holds if there is an immediate data flow edge from the node ``nodeFrom`` to the node ``nodeTo``.
You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localFlow``.

For example, you can find flow from an expression ``source`` to an expression ``sink`` in zero or more local steps:

.. code-block:: ql

DataFlow::localFlow(source, sink)

Using local taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~

Local taint tracking extends local data flow to include flow steps where values are not preserved, for example, string manipulation.
For example:

.. code-block:: rust

let y: String = "Hello ".to_owned() + x

If ``x`` is a tainted string then ``y`` is also tainted.

The local taint tracking library is in the module ``TaintTracking``.
Like local data flow, a predicate ``localTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo)`` holds if there is an immediate taint propagation edge from the node ``nodeFrom`` to the node ``nodeTo``.
You can apply the predicate recursively by using the ``+`` and ``*`` operators, or you can use the predefined recursive predicate ``localTaint``.

For example, you can find taint propagation from an expression ``source`` to an expression ``sink`` in zero or more local steps:

.. code-block:: ql

TaintTracking::localTaint(source, sink)


Using local sources
~~~~~~~~~~~~~~~~~~~

When exploring local data flow or taint propagation between two expressions, such as in the previous example, you typically constrain the expressions to those relevant to your investigation.
The next section provides concrete examples, but first introduces the concept of a local source.

A local source is a data-flow node with no local data flow into it.
It is a local origin of data flow, a place where a new value is created.
This includes parameters (which only receive values from global data flow) and most expressions (because they are not value-preserving).
The class ``LocalSourceNode`` represents data-flow nodes that are also local sources.
It includes a useful member predicate ``flowsTo(DataFlow::Node node)``, which holds if there is local data flow from the local source to ``node``.

Examples of local data flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~

This query finds the argument passed in each call to ``File::create``:

.. code-block:: ql

import rust

from CallExpr call
where call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create"
select call.getArg(0)

Unfortunately, this only returns the expression used as the argument, not the possible values that could be passed to it. To address this, you can use local data flow to find all expressions that flow into the argument.

.. code-block:: ql

import rust
import codeql.rust.dataflow.DataFlow

from CallExpr call, DataFlow::ExprNode source, DataFlow::ExprNode sink
where
call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create" and
sink.asExpr().getExpr() = call.getArg(0) and
DataFlow::localFlow(source, sink)
select source, sink

You can vary the source by making the source the parameter of a function instead of an expression. The following query finds where a parameter is used in file creation:

.. code-block:: ql

import rust
import codeql.rust.dataflow.DataFlow

from CallExpr call, DataFlow::ParameterNode source, DataFlow::ExprNode sink
where
call.getStaticTarget().(Function).getCanonicalPath() = "<std::fs::File>::create" and
sink.asExpr().getExpr() = call.getArg(0) and
DataFlow::localFlow(source, sink)
select source, sink

Global data flow
----------------

Global data flow tracks data flow throughout the entire program, and is therefore more powerful than local data flow.
However, global data flow is less precise than local data flow, and the analysis typically requires significantly more time and memory to perform.

.. pull-quote:: Note

.. include:: ../reusables/path-problem.rst

Using global data flow
~~~~~~~~~~~~~~~~~~~~~~

We can use the global data flow library by implementing the signature ``DataFlow::ConfigSig`` and applying the module ``DataFlow::Global<ConfigSig>``:

.. code-block:: ql

import codeql.rust.dataflow.DataFlow

module MyDataFlowConfiguration implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
...
}

predicate isSink(DataFlow::Node sink) {
...
}
}

module MyDataFlow = DataFlow::Global<MyDataFlowConfiguration>;

These predicates are defined in the configuration:

- ``isSource`` - defines where data may flow from.
- ``isSink`` - defines where data may flow to.
- ``isBarrier`` - optional, defines where data flow is blocked.
- ``isAdditionalFlowStep`` - optional, adds additional flow steps.

The last line (``module MyDataFlow = ...``) instantiates the parameterized module for data flow analysis by passing the configuration to the parameterized module. Data flow analysis can then be performed using ``MyDataFlow::flow(DataFlow::Node source, DataFlow::Node sink)``:

.. code-block:: ql

from DataFlow::Node source, DataFlow::Node sink
where MyDataFlow::flow(source, sink)
select source, "Dataflow to $@.", sink, sink.toString()

Using global taint tracking
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Global taint tracking relates to global data flow in the same way that local taint tracking relates to local data flow.
In other words, global taint tracking extends global data flow with additional non-value-preserving steps.
The global taint tracking library uses the same configuration module as the global data flow library. You can perform taint flow analysis using ``TaintTracking::Global``:

.. code-block:: ql

module MyTaintFlow = TaintTracking::Global<MyDataFlowConfiguration>;

from DataFlow::Node source, DataFlow::Node sink
where MyTaintFlow::flow(source, sink)
select source, "Taint flow to $@.", sink, sink.toString()

Predefined sources
~~~~~~~~~~~~~~~~~~

The library module ``codeql.rust.Concepts`` contains a number of predefined sources and sinks that you can use to write security queries to track data flow and taint flow.

Examples of global data flow
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following global taint-tracking query finds places where a string literal is used in a function call argument named "password".
- Since this is a taint-tracking query, the ``TaintTracking::Global`` module is used.
- The ``isSource`` predicate defines sources as any ``StringLiteralExpr``.
- The ``isSink`` predicate defines sinks as arguments to a ``CallExpr`` called "password".
- The sources and sinks may need to be adjusted for a particular use. For example, passwords might be represented by a type other than ``String`` or passed in arguments with a different name than "password".

.. code-block:: ql

import rust
import codeql.rust.dataflow.DataFlow
import codeql.rust.dataflow.TaintTracking

module ConstantPasswordConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node.asExpr().getExpr() instanceof StringLiteralExpr }

predicate isSink(DataFlow::Node node) {
// any argument going to a parameter called `password`
exists(Function f, CallExpr call, int index |
call.getArg(index) = node.asExpr().getExpr() and
call.getStaticTarget() = f and
f.getParam(index).getPat().(IdentPat).getName().getText() = "password"
)
}
}

module ConstantPasswordFlow = TaintTracking::Global<ConstantPasswordConfig>;

from DataFlow::Node sourceNode, DataFlow::Node sinkNode
where ConstantPasswordFlow::flow(sourceNode, sinkNode)
select sinkNode, "The value $@ is used as a constant password.", sourceNode, sourceNode.toString()


Further reading
---------------

- `Exploring data flow with path queries <https://docs.github.com/en/code-security/codeql-for-vs-code/getting-started-with-codeql-for-vs-code/exploring-data-flow-with-path-queries>`__ in the GitHub documentation.


.. include:: ../reusables/rust-further-reading.rst
.. include:: ../reusables/codeql-ref-tools-further-reading.rst
16 changes: 16 additions & 0 deletions docs/codeql/codeql-language-guides/codeql-for-rust.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@

.. _codeql-for-rust:

CodeQL for Rust
=========================

Experiment and learn how to write effective and efficient queries for CodeQL databases generated from Rust code.

.. toctree::
:hidden:

codeql-library-for-rust
analyzing-data-flow-in-rust

- :doc:`CodeQL library for Rust <codeql-library-for-rust>`: When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.
- :doc:`Analyzing data flow in Rust <analyzing-data-flow-in-rust>`: You can use CodeQL to track the flow of data through a Rust program to places where the data is used.
61 changes: 61 additions & 0 deletions docs/codeql/codeql-language-guides/codeql-library-for-rust.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
.. _codeql-library-for-rust:

CodeQL library for Rust
=================================

When analyzing Rust code, you can make use of the large collection of classes in the CodeQL library for Rust.

Overview
--------

CodeQL ships with a library for analyzing Rust code. The classes in this library present the data from a CodeQL database in an object-oriented form and provide
abstractions and predicates to help you with common analysis tasks.

The library is implemented as a set of CodeQL modules, which are files with the extension ``.qll``. The
module `rust.qll <https://github.com/github/codeql/blob/main/rust/ql/lib/rust.qll>`__ imports most other standard library modules, so you can include them
by beginning your query with:

.. code-block:: ql

import rust

The CodeQL libraries model various aspects of Rust code. The above import includes the abstract syntax tree (AST) library, which is used for locating program elements
to match syntactic elements in the source code. This can be used to find values, patterns, and structures.

The control flow graph (CFG) is imported using:

.. code-block:: ql

import codeql.rust.controlflow.ControlFlowGraph

The CFG models the control flow between statements and expressions. For example, it can determine whether one expression can
be evaluated before another expression, or whether an expression "dominates" another one, meaning that all paths to an
expression must flow through another expression first.

The data flow library is imported using:

.. code-block:: ql

import codeql.rust.dataflow.DataFlow

Data flow tracks the flow of data through the program, including across function calls (interprocedural data flow) and between steps in a job or workflow.
Data flow is particularly useful for security queries, where untrusted data flows to vulnerable parts of the program. The taint-tracking library is related to data flow,
and helps you find how data can *influence* other values in a program, even when it is not copied exactly.

To summarize, the main Rust library modules are:

.. list-table:: Main Rust library modules
:header-rows: 1

* - Import
- Description
* - ``rust``
- The standard Rust library
* - ``codeql.rust.elements``
- The abstract syntax tree library (also imported by `rust.qll`)
* - ``codeql.rust.controlflow.ControlFlowGraph``
- The control flow graph library
* - ``codeql.rust.dataflow.DataFlow``
- The data flow library
* - ``codeql.rust.dataflow.TaintTracking``
- The taint tracking library
1 change: 1 addition & 0 deletions docs/codeql/codeql-language-guides/index.rst
Original file line number Diff line number Diff line change
@@ -15,4 +15,5 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
codeql-for-javascript
codeql-for-python
codeql-for-ruby
codeql-for-rust
codeql-for-swift
2 changes: 2 additions & 0 deletions docs/codeql/codeql-overview/codeql-tools.rst
Original file line number Diff line number Diff line change
@@ -39,6 +39,8 @@ maintained by GitHub are:
- ``codeql/python-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/python/ql/lib>`__)
- ``codeql/ruby-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/src>`__)
- ``codeql/ruby-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/ruby/ql/lib>`__)
- ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__)
- ``codeql/rust-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/lib>`__)
- ``codeql/swift-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/src>`__)
- ``codeql/swift-all`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/swift/ql/lib>`__)

2 changes: 1 addition & 1 deletion docs/codeql/query-help/codeql-cwe-coverage.rst
Original file line number Diff line number Diff line change
@@ -35,5 +35,5 @@ Note that the CWE coverage includes both "`supported queries <https://github.com
javascript-cwe
python-cwe
ruby-cwe
rust-cwe
swift-cwe

2 changes: 2 additions & 0 deletions docs/codeql/query-help/index.rst
Original file line number Diff line number Diff line change
@@ -11,6 +11,7 @@ View the query help for the queries included in the ``default``, ``security-exte
- :doc:`CodeQL query help for JavaScript and TypeScript <javascript>`
- :doc:`CodeQL query help for Python <python>`
- :doc:`CodeQL query help for Ruby <ruby>`
- :doc:`CodeQL query help for Rust <rust>`
- :doc:`CodeQL query help for Swift <swift>`

.. pull-quote:: Information
@@ -37,5 +38,6 @@ For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE cove
javascript
python
ruby
rust
swift
codeql-cwe-coverage
7 changes: 7 additions & 0 deletions docs/codeql/query-help/rust-cwe.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# CWE coverage for Rust

An overview of CWE coverage for Rust in the latest release of CodeQL.

## Overview

<!-- autogenerated CWE coverage table will be added below -->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm appreciative of the automation here!

8 changes: 8 additions & 0 deletions docs/codeql/query-help/rust.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
CodeQL query help for Rust
============================

.. include:: ../reusables/query-help-overview.rst

These queries are published in the CodeQL query pack ``codeql/rust-queries`` (`changelog <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src/CHANGELOG.md>`__, `source <https://github.com/github/codeql/tree/codeql-cli/latest/rust/ql/src>`__).

.. include:: toc-rust.rst
8 changes: 5 additions & 3 deletions docs/codeql/reusables/extractors.rst
Original file line number Diff line number Diff line change
@@ -6,9 +6,9 @@
- Identifier
* - GitHub Actions
- ``actions``
* - C/C++
* - C/C++
- ``cpp``
* - C#
* - C#
- ``csharp``
* - Go
- ``go``
@@ -20,5 +20,7 @@
- ``python``
* - Ruby
- ``ruby``
- Rust
- ``rust``
* - Swift
- ``swift``
- ``swift``
Loading
Oops, something went wrong.