Rust: Refactor sources, sinks into an extensions source file.

Author: geoffw0

rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll

@@ -0,0 +1,49 @@
+/**
+ * Provides classes and predicates for reasoning about insecure cookie
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.rust.dataflow.internal.DataFlowImpl as DataflowImpl
+private import codeql.rust.dataflow.internal.Node
+
+/**
+ * Provides default sources, sinks and barriers for detecting insecure
+ * cookie vulnerabilities, as well as extension points for adding your own.
+ */
+module InsecureCookie {
+  /**
+   * A data flow source for insecure cookie vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for insecure cookie vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "InsecureCookie" }
+  }
+
+  /**
+   * A barrier for insecure cookie vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A source for insecure cookie vulnerabilities from model data.
+   */
+  private class ModelsAsDataSource extends Source {
+    ModelsAsDataSource() { sourceNode(this, "cookie-create") }
+  }
+
+  /**
+   * A sink for insecure cookie vulnerabilities from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "cookie-use") }
+  }
+}

rust/ql/src/queries/security/CWE-614/InsecureCookie.ql

@@ -16,22 +16,27 @@
 import rust
 import codeql.rust.dataflow.DataFlow
 import codeql.rust.dataflow.TaintTracking
-import codeql.rust.dataflow.FlowSource
-import codeql.rust.dataflow.FlowSink
+import codeql.rust.security.InsecureCookieExtensions
 
 /**
  * A data flow configuration for tracking values representing cookies without the
- * 'secure' flag set.
+ * 'secure' attribute set.
  */
 module InsecureCookieConfig implements DataFlow::ConfigSig {
+  import InsecureCookie
+
   predicate isSource(DataFlow::Node node) {
     // creation of a cookie or cookie configuration with default, insecure settings
-    sourceNode(node, "cookie-create")
+    node instanceof Source
   }
 
   predicate isSink(DataFlow::Node node) {
     // use of a cookie or cookie configuration
-    sinkNode(node, "cookie-use")
+    node instanceof Sink
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof Barrier
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
@@ -42,5 +47,6 @@ module InsecureCookieFlow = TaintTracking::Global<InsecureCookieConfig>;
 import InsecureCookieFlow::PathGraph
 
 from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
-where InsecureCookieFlow::flowPath(sourceNode, sinkNode)
+where
+  InsecureCookieFlow::flowPath(sourceNode, sinkNode)
 select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."

rust/ql/src/queries/summary/Stats.qll

@@ -22,13 +22,14 @@ private import codeql.rust.security.AccessInvalidPointerExtensions
 private import codeql.rust.security.CleartextLoggingExtensions
 private import codeql.rust.security.CleartextStorageDatabaseExtensions
 private import codeql.rust.security.CleartextTransmissionExtensions
-private import codeql.rust.security.RequestForgeryExtensions
+private import codeql.rust.security.HardcodedCryptographicValueExtensions
+private import codeql.rust.security.InsecureCookieExtensions
 private import codeql.rust.security.LogInjectionExtensions
+private import codeql.rust.security.RequestForgeryExtensions
 private import codeql.rust.security.SqlInjectionExtensions
 private import codeql.rust.security.TaintedPathExtensions
 private import codeql.rust.security.UncontrolledAllocationSizeExtensions
 private import codeql.rust.security.WeakSensitiveDataHashingExtensions
-private import codeql.rust.security.HardcodedCryptographicValueExtensions
 
 /**
  * Gets a count of the total number of lines of code in the database.