Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rust: Have CleartextTransmissionSink extend QuerySink::Range. #19103

Closed
wants to merge 2 commits into from
Closed

Rust: Have CleartextTransmissionSink extend QuerySink::Range. #19103

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
97d3da0
Rust: Have CleartextTransmissionSink extend QuerySink::Range.
geoffw0 Mar 24, 2025
9183ed5
Rust: Have CleartextTransmissionSink extend QuerySink::Range.
geoffw0 Mar 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ module CleartextLogging {
private class SensitiveDataAsSource extends Source instanceof SensitiveData { }

/** A sink for logging from model data. */
private class ModelsAsDataSinks extends Sink {
ModelsAsDataSinks() { exists(string s | sinkNode(this, s) and s.matches("log-injection%")) }
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { exists(string s | sinkNode(this, s) and s.matches("log-injection%")) }
}
}
50 changes: 30 additions & 20 deletions rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,34 +5,44 @@

private import codeql.util.Unit
private import rust
private import codeql.rust.Concepts
private import codeql.rust.dataflow.DataFlow
private import codeql.rust.dataflow.FlowSink

/**
* A data flow sink for cleartext transmission vulnerabilities. That is,
* a `DataFlow::Node` of something that is transmitted over a network.
* Provides default sources, sinks and barriers for detecting cleartext
* transmission vulnerabilities, as well as extension points for adding your
* own.
*/
abstract class CleartextTransmissionSink extends DataFlow::Node { }
module CleartextTransmission {
/**
* A data flow sink for cleartext transmission vulnerabilities. That is,
* a `DataFlow::Node` of something that is transmitted over a network.
*/
abstract class Sink extends QuerySink::Range {
override string getSinkType() { result = "CleartextTransmission" }
}

/**
* A barrier for cleartext transmission vulnerabilities.
*/
abstract class CleartextTransmissionBarrier extends DataFlow::Node { }
/**
* A barrier for cleartext transmission vulnerabilities.
*/
abstract class Barrier extends DataFlow::Node { }

/**
* A unit class for adding additional flow steps.
*/
class CleartextTransmissionAdditionalFlowStep extends Unit {
/**
* Holds if the step from `node1` to `node2` should be considered a flow
* step for paths related to cleartext transmission vulnerabilities.
* A unit class for adding additional flow steps.
*/
abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
}
class AdditionalFlowStep extends Unit {
/**
* Holds if the step from `node1` to `node2` should be considered a flow
* step for paths related to cleartext transmission vulnerabilities.
*/
abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
}

/**
* A sink defined through MaD.
*/
private class MadCleartextTransmissionSink extends CleartextTransmissionSink {
MadCleartextTransmissionSink() { sinkNode(this, "transmission") }
/**
* A sink defined through MaD.
*/
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "transmission") }
}
}
4 changes: 2 additions & 2 deletions rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ module SqlInjection {
}

/** A sink for sql-injection from model data. */
private class ModelsAsDataSinks extends Sink {
ModelsAsDataSinks() { sinkNode(this, "sql-injection") }
private class ModelsAsDataSink extends Sink {
ModelsAsDataSink() { sinkNode(this, "sql-injection") }
}
}
6 changes: 3 additions & 3 deletions rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,12 +24,12 @@ import codeql.rust.security.CleartextTransmissionExtensions
module CleartextTransmissionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node node) { node instanceof SensitiveData }

predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmissionSink }
predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmission::Sink }

predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextTransmissionBarrier }
predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextTransmission::Barrier }

predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
any(CleartextTransmissionAdditionalFlowStep s).step(nodeFrom, nodeTo)
any(CleartextTransmission::AdditionalFlowStep s).step(nodeFrom, nodeTo)
}

predicate isBarrierIn(DataFlow::Node node) {
Expand Down