Rust: Account for the 'secure' and 'partitioned' attributes.

Author: geoffw0

rust/ql/lib/codeql/rust/frameworks/biscotti.model.yml

@@ -16,8 +16,8 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
-      - ["<biscotti::response_cookie::ResponseCookie>::set_secure", "Argument[self]", "ReturnValue", "taint", "manual"]
-      - ["<biscotti::response_cookie::ResponseCookie>::set_partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<biscotti::response_cookie::ResponseCookie>::set_secure", "Argument[self].OptionalBarrier[cookie-secure-arg0]", "ReturnValue", "taint", "manual"]
+      - ["<biscotti::response_cookie::ResponseCookie>::set_partitioned", "Argument[self].OptionalBarrier[cookie-partitioned-arg0]", "ReturnValue", "taint", "manual"]
       - ["<biscotti::response_cookie::ResponseCookie>::set_name", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<biscotti::response_cookie::ResponseCookie>::set_value", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<biscotti::response_cookie::ResponseCookie>::set_http_only", "Argument[self]", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/cookie.model.yml

@@ -26,8 +26,8 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
-      - ["<cookie::builder::CookieBuilder>::secure", "Argument[self]", "ReturnValue", "taint", "manual"]
-      - ["<cookie::builder::CookieBuilder>::partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<cookie::builder::CookieBuilder>::secure", "Argument[self].OptionalBarrier[cookie-secure-arg0]", "ReturnValue", "taint", "manual"]
+      - ["<cookie::builder::CookieBuilder>::partitioned", "Argument[self].OptionalBarrier[cookie-partitioned-arg0]", "ReturnValue", "taint", "manual"]
       - ["<cookie::builder::CookieBuilder>::expires", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<cookie::builder::CookieBuilder>::max_age", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<cookie::builder::CookieBuilder>::domain", "Argument[self]", "ReturnValue", "taint", "manual"]
@@ -36,5 +36,5 @@ extensions:
       - ["<cookie::builder::CookieBuilder>::same_site", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<cookie::builder::CookieBuilder>::permanent", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["<cookie::builder::CookieBuilder>::removal", "Argument[self]", "ReturnValue", "taint", "manual"]
-      - ["<cookie::Cookie>::set_secure", "Argument[self]", "ReturnValue", "taint", "manual"]
-      - ["<cookie::Cookie>::set_partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]
+      - ["<cookie::Cookie>::set_secure", "Argument[self].OptionalBarrier[cookie-secure-arg0]", "ReturnValue", "taint", "manual"]
+      - ["<cookie::Cookie>::set_partitioned", "Argument[self].OptionalBarrier[cookie-partitioned-arg0]", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll

@@ -46,4 +46,36 @@ module InsecureCookie {
   private class ModelsAsDataSink extends Sink {
     ModelsAsDataSink() { sinkNode(this, "cookie-use") }
   }
+
+  /**
+   * Holds if cookie attribute `attrib` (`secure` or `partitioned`) is set to `value` (`true` or `false`) at `node`.
+   * A value that cannot be determined is treated as `false`.
+   *
+   * This references models-as-data optional barrier nodes, for example `OptionalBarrier[cookie-secure-arg0]`.
+   */
+  predicate cookieSetNode(DataFlow::Node node, string attrib, boolean value) {
+    exists(
+      FlowSummaryNode summaryNode, string barrierName, CallExprBase ce, int arg,
+      DataFlow::Node argNode
+    |
+      // decode a `cookie-`... optional barrier
+      DataflowImpl::optionalBarrier(summaryNode, barrierName) and
+      attrib = barrierName.regexpCapture("cookie-(secure|partitioned)-arg([0-9]+)", 1) and
+      arg = barrierName.regexpCapture("cookie-(secure|partitioned)-arg([0-9]+)", 2).toInt() and
+      // find a call and arg referenced by this optional barrier
+      ce.getStaticTarget() = summaryNode.getSummarizedCallable() and
+      ce.getArg(arg) = argNode.asExpr().getExpr() and
+      // check if the argument is always `true`
+      (
+        if
+          forex(DataFlow::Node argSourceNode | DataFlow::localFlow(argSourceNode, argNode) |
+            argSourceNode.asExpr().getExpr().(BooleanLiteralExpr).getTextValue() = "true"
+          )
+        then value = true // `true` flow to here
+        else value = false // `false` or unknown
+      ) and
+      // and the node `node` where this happens
+      node.asExpr().getExpr() = ce
+    )
+  }
 }

rust/ql/src/queries/security/CWE-614/InsecureCookie.ql

@@ -20,14 +20,18 @@ import codeql.rust.security.InsecureCookieExtensions
 
 /**
  * A data flow configuration for tracking values representing cookies without the
- * 'secure' attribute set.
+ * 'secure' attribute set. This is the primary data flow configurationn for this
+ * query.
  */
 module InsecureCookieConfig implements DataFlow::ConfigSig {
   import InsecureCookie
 
   predicate isSource(DataFlow::Node node) {
     // creation of a cookie or cookie configuration with default, insecure settings
     node instanceof Source
+    or
+    // setting the 'secure' attribute to false (or an unknown value)
+    cookieSetNode(node, "secure", false)
   }
 
   predicate isSink(DataFlow::Node node) {
@@ -36,6 +40,37 @@ module InsecureCookieConfig implements DataFlow::ConfigSig {
   }
 
   predicate isBarrier(DataFlow::Node node) {
+    // setting the 'secure' attribute to true
+    cookieSetNode(node, "secure", true)
+    or
+    node instanceof Barrier
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+/**
+ * A data flow configuration for tracking values representing cookies with the
+ * 'partitioned' attribute set. This is a secondary data flow configuration used
+ * to filter out unwanted results.
+ */
+module PartitionedCookieConfig implements DataFlow::ConfigSig {
+  import InsecureCookie
+
+  predicate isSource(DataFlow::Node node) {
+    // setting the 'partitioned' attribute to true
+    cookieSetNode(node, "partitioned", true)
+  }
+
+  predicate isSink(DataFlow::Node node) {
+    // use of a cookie or cookie configuration
+    node instanceof Sink
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // setting the 'partitioned' attribute to false (or an unknown value)
+    cookieSetNode(node, "partitioned", false)
+    or
     node instanceof Barrier
   }
 
@@ -44,9 +79,12 @@ module InsecureCookieConfig implements DataFlow::ConfigSig {
 
 module InsecureCookieFlow = TaintTracking::Global<InsecureCookieConfig>;
 
+module PartitionedCookieFlow = TaintTracking::Global<PartitionedCookieConfig>;
+
 import InsecureCookieFlow::PathGraph
 
 from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
 where
-  InsecureCookieFlow::flowPath(sourceNode, sinkNode)
+  InsecureCookieFlow::flowPath(sourceNode, sinkNode) and
+  not PartitionedCookieFlow::flow(_, sinkNode.getNode())
 select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."

rust/ql/test/query-tests/security/CWE-614/CookieSet.expected

@@ -0,0 +1,44 @@
+| main.rs:8:19:8:64 | ... .secure(...) | secure | false |
+| main.rs:12:19:12:63 | ... .secure(...) | secure | true |
+| main.rs:20:5:20:54 | ... .secure(...) | secure | false |
+| main.rs:21:5:21:55 | ... .secure(...) | secure | false |
+| main.rs:24:5:24:51 | ... .secure(...) | secure | false |
+| main.rs:25:5:25:52 | ... .secure(...) | secure | false |
+| main.rs:26:5:26:50 | ... .secure(...) | secure | false |
+| main.rs:27:5:27:51 | ... .secure(...) | secure | false |
+| main.rs:28:5:28:60 | ... .secure(...) | secure | false |
+| main.rs:29:5:29:60 | ... .secure(...) | secure | false |
+| main.rs:33:9:33:58 | ... .secure(...) | secure | false |
+| main.rs:35:9:35:58 | ... .secure(...) | secure | false |
+| main.rs:39:5:39:53 | ... .secure(...) | secure | false |
+| main.rs:40:5:40:64 | ... .secure(...) | secure | false |
+| main.rs:41:5:41:93 | ... .secure(...) | secure | false |
+| main.rs:42:5:42:72 | ... .secure(...) | secure | false |
+| main.rs:43:5:43:60 | ... .secure(...) | secure | false |
+| main.rs:44:5:44:66 | ... .secure(...) | secure | false |
+| main.rs:45:5:45:86 | ... .secure(...) | secure | false |
+| main.rs:46:5:46:62 | ... .secure(...) | secure | false |
+| main.rs:47:5:47:60 | ... .secure(...) | secure | false |
+| main.rs:48:5:48:50 | ... .secure(...) | secure | false |
+| main.rs:49:5:49:39 | ... .secure(...) | secure | false |
+| main.rs:50:5:50:54 | ... .secure(...) | secure | false |
+| main.rs:53:5:53:49 | ... .secure(...) | secure | true |
+| main.rs:53:5:53:63 | ... .secure(...) | secure | false |
+| main.rs:54:5:54:50 | ... .secure(...) | secure | false |
+| main.rs:54:5:54:63 | ... .secure(...) | secure | true |
+| main.rs:61:5:61:22 | a.set_secure(...) | secure | true |
+| main.rs:63:5:63:23 | a.set_secure(...) | secure | false |
+| main.rs:71:5:71:27 | b.set_secure(...) | secure | false |
+| main.rs:73:5:73:22 | b.set_secure(...) | secure | true |
+| main.rs:81:9:81:26 | c.set_secure(...) | secure | true |
+| main.rs:84:5:84:22 | c.set_secure(...) | secure | true |
+| main.rs:90:9:90:26 | c.set_secure(...) | secure | true |
+| main.rs:92:9:92:31 | c.set_partitioned(...) | partitioned | true |
+| main.rs:109:9:109:26 | e.set_secure(...) | secure | true |
+| main.rs:114:5:114:54 | ... .partitioned(...) | partitioned | true |
+| main.rs:126:13:126:30 | a.set_secure(...) | secure | true |
+| main.rs:130:13:130:31 | b.set_secure(...) | secure | false |
+| main.rs:134:13:134:35 | c.set_partitioned(...) | partitioned | true |
+| main.rs:138:13:138:30 | d.set_secure(...) | secure | true |
+| main.rs:142:13:142:36 | e.set_partitioned(...) | partitioned | false |
+| main.rs:146:13:146:31 | f.set_secure(...) | secure | false |

rust/ql/test/query-tests/security/CWE-614/CookieSet.ql

@@ -0,0 +1,7 @@
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.security.InsecureCookieExtensions
+
+from DataFlow::Node node, string state, boolean value
+where InsecureCookie::cookieSetNode(node, state, value)
+select node, state, value