Skip to content

Commit eadf922

Browse files
geoffw0geoffw0
committed
Rust: Use models-as-data, add source/sink/flow models.
1 parent d52b668 commit eadf922

File tree

5 files changed

+762
-73
lines changed

5 files changed

+762
-73
lines changed

rust/ql/lib/codeql/rust/frameworks/biscotti.model.yml

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,32 @@
11
# Models for the `biscotti` crate.
22
extensions:
3+
- addsTo:
4+
pack: codeql/rust-all
5+
extensible: sourceModel
6+
data:
7+
- ["<biscotti::response_cookie::ResponseCookie>::new", "ReturnValue", "cookie-create", "manual"]
8+
- ["<biscotti::response_cookie::ResponseCookie as core::convert::From>::from", "ReturnValue", "cookie-create", "manual"]
39
- addsTo:
410
pack: codeql/rust-all
511
extensible: sinkModel
612
data:
13+
- ["<biscotti::response_cookies::ResponseCookies>::insert", "Argument[0]", "cookie-use", "manual"]
714
- ["<biscotti::crypto::master::Key>::from", "Argument[0]", "credentials-key", "manual"]
15+
- addsTo:
16+
pack: codeql/rust-all
17+
extensible: summaryModel
18+
data:
19+
- ["<biscotti::response_cookie::ResponseCookie>::set_secure", "Argument[self]", "ReturnValue", "taint", "manual"]
20+
- ["<biscotti::response_cookie::ResponseCookie>::set_partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]
21+
- ["<biscotti::response_cookie::ResponseCookie>::set_name", "Argument[self]", "ReturnValue", "taint", "manual"]
22+
- ["<biscotti::response_cookie::ResponseCookie>::set_value", "Argument[self]", "ReturnValue", "taint", "manual"]
23+
- ["<biscotti::response_cookie::ResponseCookie>::set_http_only", "Argument[self]", "ReturnValue", "taint", "manual"]
24+
- ["<biscotti::response_cookie::ResponseCookie>::set_same_site", "Argument[self]", "ReturnValue", "taint", "manual"]
25+
- ["<biscotti::response_cookie::ResponseCookie>::set_max_age", "Argument[self]", "ReturnValue", "taint", "manual"]
26+
- ["<biscotti::response_cookie::ResponseCookie>::set_path", "Argument[self]", "ReturnValue", "taint", "manual"]
27+
- ["<biscotti::response_cookie::ResponseCookie>::unset_path", "Argument[self]", "ReturnValue", "taint", "manual"]
28+
- ["<biscotti::response_cookie::ResponseCookie>::set_domain", "Argument[self]", "ReturnValue", "taint", "manual"]
29+
- ["<biscotti::response_cookie::ResponseCookie>::unset_domain", "Argument[self]", "ReturnValue", "taint", "manual"]
30+
- ["<biscotti::response_cookie::ResponseCookie>::set_expires", "Argument[self]", "ReturnValue", "taint", "manual"]
31+
- ["<biscotti::response_cookie::ResponseCookie>::unset_expires", "Argument[self]", "ReturnValue", "taint", "manual"]
32+
- ["<biscotti::response_cookie::ResponseCookie>::make_permanent", "Argument[self]", "ReturnValue", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/cookie.model.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,40 @@
11
# Models for the `cookie` crate.
22
extensions:
3+
- addsTo:
4+
pack: codeql/rust-all
5+
extensible: sourceModel
6+
data:
7+
- ["<cookie::Cookie>::build", "ReturnValue", "cookie-create", "manual"]
8+
- ["<cookie::builder::CookieBuilder>::new", "ReturnValue", "cookie-create", "manual"]
9+
- ["<cookie::Cookie>::new", "ReturnValue", "cookie-create", "manual"]
10+
- ["<cookie::Cookie>::named", "ReturnValue", "cookie-create", "manual"]
11+
- ["<cookie::Cookie as core::convert::From>::from", "ReturnValue", "cookie-create", "manual"]
312
- addsTo:
413
pack: codeql/rust-all
514
extensible: sinkModel
615
data:
16+
- ["<cookie::builder::CookieBuilder>::build", "Argument[self]", "cookie-use", "manual"]
17+
- ["<cookie::builder::CookieBuilder>::finish", "Argument[self]", "cookie-use", "manual"]
18+
- ["<cookie::jar::CookieJar>::add", "Argument[0]", "cookie-use", "manual"]
19+
- ["<cookie::jar::CookieJar>::add_original", "Argument[0]", "cookie-use", "manual"]
20+
- ["<cookie::secure::signed::SignedJar>::add", "Argument[0]", "cookie-use", "manual"]
21+
- ["<cookie::secure::signed::SignedJar>::add_original", "Argument[0]", "cookie-use", "manual"]
22+
- ["<cookie::secure::private::PrivateJar>::add", "Argument[0]", "cookie-use", "manual"]
23+
- ["<cookie::secure::private::PrivateJar>::add_original", "Argument[0]", "cookie-use", "manual"]
724
- ["<cookie::secure::key::Key>::from", "Argument[0].Reference", "credentials-key", "manual"]
25+
- addsTo:
26+
pack: codeql/rust-all
27+
extensible: summaryModel
28+
data:
29+
- ["<cookie::builder::CookieBuilder>::secure", "Argument[self]", "ReturnValue", "taint", "manual"]
30+
- ["<cookie::builder::CookieBuilder>::partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]
31+
- ["<cookie::builder::CookieBuilder>::expires", "Argument[self]", "ReturnValue", "taint", "manual"]
32+
- ["<cookie::builder::CookieBuilder>::max_age", "Argument[self]", "ReturnValue", "taint", "manual"]
33+
- ["<cookie::builder::CookieBuilder>::domain", "Argument[self]", "ReturnValue", "taint", "manual"]
34+
- ["<cookie::builder::CookieBuilder>::path", "Argument[self]", "ReturnValue", "taint", "manual"]
35+
- ["<cookie::builder::CookieBuilder>::http_only", "Argument[self]", "ReturnValue", "taint", "manual"]
36+
- ["<cookie::builder::CookieBuilder>::same_site", "Argument[self]", "ReturnValue", "taint", "manual"]
37+
- ["<cookie::builder::CookieBuilder>::permanent", "Argument[self]", "ReturnValue", "taint", "manual"]
38+
- ["<cookie::builder::CookieBuilder>::removal", "Argument[self]", "ReturnValue", "taint", "manual"]
39+
- ["<cookie::Cookie>::set_secure", "Argument[self]", "ReturnValue", "taint", "manual"]
40+
- ["<cookie::Cookie>::set_partitioned", "Argument[self]", "ReturnValue", "taint", "manual"]

rust/ql/src/queries/security/CWE-614/InsecureCookie.ql

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,34 +16,31 @@
1616
import rust
1717
import codeql.rust.dataflow.DataFlow
1818
import codeql.rust.dataflow.TaintTracking
19-
import InsecureCookieFlow::PathGraph
19+
import codeql.rust.dataflow.FlowSource
20+
import codeql.rust.dataflow.FlowSink
2021

2122
/**
2223
* A data flow configuration for tracking values representing cookies without the
2324
* 'secure' flag set.
2425
*/
2526
module InsecureCookieConfig implements DataFlow::ConfigSig {
2627
predicate isSource(DataFlow::Node node) {
27-
// creation of a cookie with default settings (insecure)
28-
exists(CallExprBase ce |
29-
ce.getStaticTarget().getCanonicalPath() = "<cookie::Cookie>::build" and
30-
node.asExpr().getExpr() = ce
31-
)
28+
// creation of a cookie or cookie configuration with default, insecure settings
29+
sourceNode(node, "cookie-create")
3230
}
3331

3432
predicate isSink(DataFlow::Node node) {
35-
// qualifier of a call to `.build`.
36-
exists(MethodCallExpr ce |
37-
ce.getStaticTarget().getCanonicalPath() = "<cookie::builder::CookieBuilder>::build" and
38-
node.asExpr().getExpr() = ce.getReceiver()
39-
)
33+
// use of a cookie or cookie configuration
34+
sinkNode(node, "cookie-use")
4035
}
4136

4237
predicate observeDiffInformedIncrementalMode() { any() }
4338
}
4439

4540
module InsecureCookieFlow = TaintTracking::Global<InsecureCookieConfig>;
4641

42+
import InsecureCookieFlow::PathGraph
43+
4744
from InsecureCookieFlow::PathNode sourceNode, InsecureCookieFlow::PathNode sinkNode
4845
where InsecureCookieFlow::flowPath(sourceNode, sinkNode)
4946
select sinkNode.getNode(), sourceNode, sinkNode, "Cookie attribute 'Secure' is not set to true."

0 commit comments

Comments
 (0)