diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll index 117f67a7b4e5..89a0a2c5c926 100644 --- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -69,6 +70,13 @@ module AccessInvalidPointer { ModelsAsDataSink() { sinkNode(this, "pointer-access") } } + /** + * A barrier for invalid pointer access from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "pointer-access") } + } + /** * A barrier for invalid pointer access vulnerabilities for values checked to * be non-`null`. diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll index f634992fb81e..c728d29f0155 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -44,6 +45,13 @@ module CleartextLogging { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for logging from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier diff --git a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll index f92b2df1dc0b..afbf27e5bc9e 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll @@ -45,4 +45,11 @@ module CleartextStorageDatabase { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) } } + + /** + * A barrier for cleartext storage vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll index 7d5a91a55f74..14ee95186c3a 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -55,4 +56,11 @@ module CleartextTransmission { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) } } + + /** + * A barrier defined through MaD. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll index a86ee506dfa9..a5933bc74b1c 100644 --- a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.dataflow.internal.Node as Node @@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions { override string getSinkType() { result = "DisabledCertificateCheck" } } + /** + * A data flow barrier for disabled certificate check vulnerabilities. + */ + abstract class Barrier extends DataFlow::Node { } + /** * A sink for disabled certificate check vulnerabilities from model data. */ @@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions { ) } } + + /** + * A barrier for disabled certificate check vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") } + } } diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 9bdfc53971e3..09e2505eb5c2 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -130,6 +131,19 @@ module HardcodedCryptographicValue { override CryptographicValueKind getKind() { result = kind } } + /** + * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. + * + * Note that a barrier will block flow to all hard-coded cryptographic value + * sinks, regardless of the `kind` that is specified. For example a barrier of + * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { + exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) + } + } + /** * A call to `getrandom` that is a barrier. */ diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll index 87d37d6b85b4..bd74dcb8728b 100644 --- a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -48,6 +49,13 @@ module InsecureCookie { ModelsAsDataSink() { sinkNode(this, "cookie-use") } } + /** + * A barrier for insecure cookie vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "cookie-use") } + } + /** * Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`, * with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example, diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index 31403b625f92..40d113623554 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module LogInjection { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for log-injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + /** * A barrier for log injection vulnerabilities for nodes whose type is a * numeric type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll index 1822baff6448..d5b75258ad42 100644 --- a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.dataflow.FlowSource private import codeql.rust.Concepts @@ -46,4 +47,11 @@ module RequestForgery { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for request forgery from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index f36ab264987a..de2622974f6f 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -53,12 +54,19 @@ module SqlInjection { } /** - * A sink for sql-injection from model data. + * A sink for SQL injection from model data. */ private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "sql-injection") } } + /** + * A barrier for SQL injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "sql-injection") } + } + /** * A barrier for SQL injection vulnerabilities for nodes whose type is a numeric * type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll index ccf3736ceb4a..2bd009909f6d 100644 --- a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll @@ -47,6 +47,11 @@ module TaintedPath { private class ModelsAsDataSinks extends Sink { ModelsAsDataSinks() { sinkNode(this, "path-injection") } } + + /** A barrier for path-injection from model data. */ + private class ModelsAsDataBarriers extends Barrier { + ModelsAsDataBarriers() { barrierNode(this, "path-injection") } + } } private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) { diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll index c6251563ea6f..f0c0bed00097 100644 --- a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink /** @@ -32,6 +33,13 @@ module UncontrolledAllocationSize { ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) } } + /** + * A barrier for uncontrolled allocation size from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) } + } + /** * A barrier for uncontrolled allocation size that is an upper bound check / guard. */ diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll index 076ed42edfbb..f4dd5a1e1a85 100644 --- a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -59,4 +60,11 @@ module UseOfHttp { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for use of HTTP URLs from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll index 97318ff81737..74ed161acb09 100644 --- a/rust/ql/lib/codeql/rust/security/XssExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/XssExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module Xss { ModelsAsDataSink() { sinkNode(this, "html-injection") } } + /** + * A barrier for XSS from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "html-injection") } + } + /** * A barrier for XSS vulnerabilities for nodes whose type is a * numeric or boolean type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 7cb0dc47c9f3..3f1dbbafb7d6 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.security.Barriers as Barriers @@ -69,6 +70,13 @@ module RegexInjection { ModelsAsDataSink() { sinkNode(this, "regex-use") } } + /** + * A barrier for regular expression injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "regex-use") } + } + /** * An escape barrier for regular expression injection vulnerabilities. */ diff --git a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql index ae22a3c9d2c0..3e978e2934b6 100644 --- a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql +++ b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql @@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof Sink } + predicate isBarrier(DataFlow::Node node) { node instanceof Barrier } + predicate observeDiffInformedIncrementalMode() { any() } }