Skip to content

Commit a3ed83b

Browse files
geoffw0geoffw0
committed
Rust: Make state transition / barrier nodes more reliable.
1 parent 2654aff commit a3ed83b

File tree

4 files changed

+176
-158
lines changed

4 files changed

+176
-158
lines changed

rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ private import codeql.rust.dataflow.FlowSink
1010
private import codeql.rust.Concepts
1111
private import codeql.rust.dataflow.internal.DataFlowImpl as DataflowImpl
1212
private import codeql.rust.dataflow.internal.Node
13+
private import codeql.rust.controlflow.BasicBlocks
1314

1415
/**
1516
* Provides default sources, sinks and barriers for detecting insecure
@@ -74,8 +75,16 @@ module InsecureCookie {
7475
then value = true // `true` flow to here
7576
else value = false // `false` or unknown
7677
) and
77-
// and the node `node` where this happens
78-
node.asExpr().getExpr() = ce
78+
// and find the node where this happens
79+
(
80+
node.asExpr().getExpr() = ce.(MethodCallExpr).getReceiver() // e.g. `a` in `a.set_secure(true)`
81+
or
82+
exists(BasicBlock bb, int i |
83+
// associated SSA node
84+
node.(SsaNode).asDefinition().definesAt(_, bb, i) and
85+
ce.(MethodCallExpr).getReceiver() = bb.getNode(i).getAstNode()
86+
)
87+
)
7988
)
8089
}
8190
}

rust/ql/test/query-tests/security/CWE-614/CookieSet.expected

Lines changed: 51 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1,44 +1,51 @@
1-
| main.rs:8:19:8:64 | ... .secure(...) | secure | false |
2-
| main.rs:12:19:12:63 | ... .secure(...) | secure | true |
3-
| main.rs:20:5:20:54 | ... .secure(...) | secure | false |
4-
| main.rs:21:5:21:55 | ... .secure(...) | secure | false |
5-
| main.rs:24:5:24:51 | ... .secure(...) | secure | false |
6-
| main.rs:25:5:25:52 | ... .secure(...) | secure | false |
7-
| main.rs:26:5:26:50 | ... .secure(...) | secure | false |
8-
| main.rs:27:5:27:51 | ... .secure(...) | secure | false |
9-
| main.rs:28:5:28:60 | ... .secure(...) | secure | false |
10-
| main.rs:29:5:29:60 | ... .secure(...) | secure | false |
11-
| main.rs:33:9:33:58 | ... .secure(...) | secure | false |
12-
| main.rs:35:9:35:58 | ... .secure(...) | secure | false |
13-
| main.rs:39:5:39:53 | ... .secure(...) | secure | false |
14-
| main.rs:40:5:40:64 | ... .secure(...) | secure | false |
15-
| main.rs:41:5:41:93 | ... .secure(...) | secure | false |
16-
| main.rs:42:5:42:72 | ... .secure(...) | secure | false |
17-
| main.rs:43:5:43:60 | ... .secure(...) | secure | false |
18-
| main.rs:44:5:44:66 | ... .secure(...) | secure | false |
19-
| main.rs:45:5:45:86 | ... .secure(...) | secure | false |
20-
| main.rs:46:5:46:62 | ... .secure(...) | secure | false |
21-
| main.rs:47:5:47:60 | ... .secure(...) | secure | false |
22-
| main.rs:48:5:48:50 | ... .secure(...) | secure | false |
23-
| main.rs:49:5:49:39 | ... .secure(...) | secure | false |
24-
| main.rs:50:5:50:54 | ... .secure(...) | secure | false |
25-
| main.rs:53:5:53:49 | ... .secure(...) | secure | true |
26-
| main.rs:53:5:53:63 | ... .secure(...) | secure | false |
27-
| main.rs:54:5:54:50 | ... .secure(...) | secure | false |
28-
| main.rs:54:5:54:63 | ... .secure(...) | secure | true |
29-
| main.rs:61:5:61:22 | a.set_secure(...) | secure | true |
30-
| main.rs:63:5:63:23 | a.set_secure(...) | secure | false |
31-
| main.rs:71:5:71:27 | b.set_secure(...) | secure | false |
32-
| main.rs:73:5:73:22 | b.set_secure(...) | secure | true |
33-
| main.rs:81:9:81:26 | c.set_secure(...) | secure | true |
34-
| main.rs:84:5:84:22 | c.set_secure(...) | secure | true |
35-
| main.rs:90:9:90:26 | c.set_secure(...) | secure | true |
36-
| main.rs:92:9:92:31 | c.set_partitioned(...) | partitioned | true |
37-
| main.rs:109:9:109:26 | e.set_secure(...) | secure | true |
38-
| main.rs:114:5:114:54 | ... .partitioned(...) | partitioned | true |
39-
| main.rs:126:13:126:30 | a.set_secure(...) | secure | true |
40-
| main.rs:130:13:130:31 | b.set_secure(...) | secure | false |
41-
| main.rs:134:13:134:35 | c.set_partitioned(...) | partitioned | true |
42-
| main.rs:138:13:138:30 | d.set_secure(...) | secure | true |
43-
| main.rs:142:13:142:36 | e.set_partitioned(...) | partitioned | false |
44-
| main.rs:146:13:146:31 | f.set_secure(...) | secure | false |
1+
| main.rs:8:19:8:50 | ...::build(...) | secure | false |
2+
| main.rs:12:19:12:50 | ...::build(...) | secure | true |
3+
| main.rs:20:5:20:36 | ...::build(...) | secure | false |
4+
| main.rs:21:5:21:36 | ...::build(...) | secure | false |
5+
| main.rs:24:5:24:36 | ...::build(...) | secure | false |
6+
| main.rs:25:5:25:36 | ...::build(...) | secure | false |
7+
| main.rs:26:5:26:36 | ...::build(...) | secure | false |
8+
| main.rs:27:5:27:36 | ...::build(...) | secure | false |
9+
| main.rs:28:5:28:36 | ...::build(...) | secure | false |
10+
| main.rs:29:5:29:36 | ...::build(...) | secure | false |
11+
| main.rs:33:9:33:40 | ...::build(...) | secure | false |
12+
| main.rs:35:9:35:40 | ...::build(...) | secure | false |
13+
| main.rs:39:5:39:39 | ...::new(...) | secure | false |
14+
| main.rs:40:5:40:50 | ... .expires(...) | secure | false |
15+
| main.rs:41:5:41:79 | ... .max_age(...) | secure | false |
16+
| main.rs:42:5:42:58 | ... .domain(...) | secure | false |
17+
| main.rs:43:5:43:46 | ... .path(...) | secure | false |
18+
| main.rs:44:5:44:52 | ... .http_only(...) | secure | false |
19+
| main.rs:45:5:45:72 | ... .same_site(...) | secure | false |
20+
| main.rs:46:5:46:48 | ... .permanent() | secure | false |
21+
| main.rs:47:5:47:46 | ... .removal() | secure | false |
22+
| main.rs:48:5:48:36 | ...::build(...) | secure | false |
23+
| main.rs:49:5:49:25 | ...::build(...) | secure | false |
24+
| main.rs:50:5:50:40 | ...::build(...) | secure | false |
25+
| main.rs:53:5:53:36 | ...::build(...) | secure | true |
26+
| main.rs:53:5:53:49 | ... .secure(...) | secure | false |
27+
| main.rs:54:5:54:36 | ...::build(...) | secure | false |
28+
| main.rs:54:5:54:50 | ... .secure(...) | secure | true |
29+
| main.rs:61:5:61:5 | [SSA] a | secure | true |
30+
| main.rs:61:5:61:5 | a | secure | true |
31+
| main.rs:63:5:63:5 | [SSA] a | secure | false |
32+
| main.rs:63:5:63:5 | a | secure | false |
33+
| main.rs:71:5:71:5 | [SSA] b | secure | false |
34+
| main.rs:71:5:71:5 | b | secure | false |
35+
| main.rs:73:5:73:5 | [SSA] b | secure | true |
36+
| main.rs:73:5:73:5 | b | secure | true |
37+
| main.rs:81:9:81:9 | [SSA] c | secure | true |
38+
| main.rs:81:9:81:9 | c | secure | true |
39+
| main.rs:84:5:84:5 | [SSA] c | secure | true |
40+
| main.rs:84:5:84:5 | c | secure | true |
41+
| main.rs:90:9:90:9 | c | secure | true |
42+
| main.rs:92:9:92:9 | c | partitioned | true |
43+
| main.rs:109:9:109:9 | [SSA] e | secure | true |
44+
| main.rs:109:9:109:9 | e | secure | true |
45+
| main.rs:114:5:114:36 | ...::build(...) | partitioned | true |
46+
| main.rs:126:13:126:13 | a | secure | true |
47+
| main.rs:130:13:130:13 | b | secure | false |
48+
| main.rs:134:13:134:13 | c | partitioned | true |
49+
| main.rs:138:13:138:13 | d | secure | true |
50+
| main.rs:142:13:142:13 | e | partitioned | false |
51+
| main.rs:146:13:146:13 | f | secure | false |

0 commit comments

Comments
 (0)