Merge pull request #18202 from paldepind/rust-taint

Rust: Add default taint flow steps
github · Dec 5, 2024 · 1dbcaa0 · 1dbcaa0
2 parents 4bf63fe + 5b6ce3e
commit 1dbcaa0
Show file tree

Hide file tree

Showing 18 changed files with 329 additions and 59 deletions.
diff --git a/rust/ql/.generated.list b/rust/ql/.generated.list
diff --git a/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll b/rust/ql/lib/codeql/rust/controlflow/internal/generated/CfgNodes.qll
diff --git a/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll b/rust/ql/lib/codeql/rust/dataflow/internal/TaintTrackingImpl.qll
@@ -1,15 +1,45 @@
 private import rust
 private import codeql.dataflow.TaintTracking
+private import codeql.rust.controlflow.CfgNodes
+private import DataFlowImpl
+private import codeql.rust.dataflow.FlowSummary
+private import FlowSummaryImpl as FlowSummaryImpl
 private import DataFlowImpl
 
 module RustTaintTracking implements InputSig<Location, RustDataFlow> {
   predicate defaultTaintSanitizer(Node::Node node) { none() }
 
   /**
-   * Holds if the additional step from `src` to `sink` should be included in all
+   * Holds if the additional step from `pred` to `succ` should be included in all
    * global taint flow configurations.
    */
-  predicate defaultAdditionalTaintStep(Node::Node src, Node::Node sink, string model) { none() }
+  predicate defaultAdditionalTaintStep(Node::Node pred, Node::Node succ, string model) {
+    model = "" and
+    (
+      exists(BinaryExprCfgNode binary |
+        binary.getOperatorName() = ["+", "-", "*", "/", "%", "&", "|", "^", "<<", ">>"] and
+        pred.asExpr() = [binary.getLhs(), binary.getRhs()] and
+        succ.asExpr() = binary
+      )
+      or
+      exists(PrefixExprCfgNode prefix |
+        prefix.getOperatorName() = ["-", "!"] and
+        pred.asExpr() = prefix.getExpr() and
+        succ.asExpr() = prefix
+      )
+      or
+      pred.asExpr() = succ.asExpr().(CastExprCfgNode).getExpr()
+      or
+      exists(IndexExprCfgNode index |
+        index.getIndex() instanceof RangeExprCfgNode and
+        pred.asExpr() = index.getBase() and
+        succ.asExpr() = index
+      )
+    )
+    or
+    FlowSummaryImpl::Private::Steps::summaryLocalStep(pred.(Node::FlowSummaryNode).getSummaryNode(),
+      succ.(Node::FlowSummaryNode).getSummaryNode(), false, model)
+  }
 
   /**
    * Holds if taint flow configurations should allow implicit reads of `c` at sinks

diff --git a/rust/ql/lib/codeql/rust/elements/CastExpr.qll b/rust/ql/lib/codeql/rust/elements/CastExpr.qll
diff --git a/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll b/rust/ql/lib/codeql/rust/elements/internal/CastExprImpl.qll
@@ -13,7 +13,7 @@ private import codeql.rust.elements.internal.generated.CastExpr
 module Impl {
   // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
-   * A cast expression. For example:
+   * A type cast expression. For example:
    * ```rust
    * value as u64;
    * ```

diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/CastExpr.qll
diff --git a/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll b/rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll
diff --git a/rust/ql/test/extractor-tests/generated/.generated_tests.list b/rust/ql/test/extractor-tests/generated/.generated_tests.list
diff --git a/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs b/rust/ql/test/extractor-tests/generated/CastExpr/gen_cast_expr.rs
diff --git a/rust/ql/test/library-tests/dataflow/models/main.rs b/rust/ql/test/library-tests/dataflow/models/main.rs
@@ -16,6 +16,16 @@ fn test_identify() {
     sink(identity(s)); // $ hasValueFlow=1
 }
 
+// has a flow model
+fn coerce(_i: i64) -> i64 {
+    0
+}
+
+fn test_coerce() {
+    let s = source(14);
+    sink(coerce(s)); // $ hasTaintFlow=14
+}
+
 enum MyPosEnum {
     A(i64),
     B(i64),