From 5762191832b974ccc3d887ffb613aca673963e02 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Mon, 23 Mar 2026 17:20:43 +0000 Subject: [PATCH 1/5] Enable MaD barriers for queries with MaD sinks --- .../security/AccessInvalidPointerExtensions.qll | 8 ++++++++ .../rust/security/CleartextLoggingExtensions.qll | 8 ++++++++ .../security/CleartextStorageDatabaseExtensions.qll | 7 +++++++ .../security/CleartextTransmissionExtensions.qll | 8 ++++++++ .../security/DisabledCertificateCheckExtensions.qll | 13 +++++++++++++ .../HardcodedCryptographicValueExtensions.qll | 10 ++++++++++ .../rust/security/InsecureCookieExtensions.qll | 8 ++++++++ .../codeql/rust/security/LogInjectionExtensions.qll | 8 ++++++++ .../rust/security/RequestForgeryExtensions.qll | 8 ++++++++ .../codeql/rust/security/SqlInjectionExtensions.qll | 10 +++++++++- .../codeql/rust/security/TaintedPathExtensions.qll | 5 +++++ .../UncontrolledAllocationSizeExtensions.qll | 8 ++++++++ .../codeql/rust/security/UseOfHttpExtensions.qll | 8 ++++++++ rust/ql/lib/codeql/rust/security/XssExtensions.qll | 8 ++++++++ .../security/regex/RegexInjectionExtensions.qll | 8 ++++++++ .../security/CWE-295/DisabledCertificateCheck.ql | 2 ++ 16 files changed, 126 insertions(+), 1 deletion(-) diff --git a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll index 117f67a7b4e5..89a0a2c5c926 100644 --- a/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/AccessInvalidPointerExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -69,6 +70,13 @@ module AccessInvalidPointer { ModelsAsDataSink() { sinkNode(this, "pointer-access") } } + /** + * A barrier for invalid pointer access from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "pointer-access") } + } + /** * A barrier for invalid pointer access vulnerabilities for values checked to * be non-`null`. diff --git a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll index f634992fb81e..c728d29f0155 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -44,6 +45,13 @@ module CleartextLogging { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for logging from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + private class BooleanTypeBarrier extends Barrier instanceof Barriers::BooleanTypeBarrier { } private class FieldlessEnumTypeBarrier extends Barrier instanceof Barriers::FieldlessEnumTypeBarrier diff --git a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll index f92b2df1dc0b..afbf27e5bc9e 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll @@ -45,4 +45,11 @@ module CleartextStorageDatabase { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["sql-injection", "database-store"]) } } + + /** + * A barrier for cleartext storage vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["sql-injection", "database-store"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll index 7d5a91a55f74..14ee95186c3a 100644 --- a/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.security.SensitiveData private import codeql.rust.Concepts @@ -55,4 +56,11 @@ module CleartextTransmission { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, ["transmission", "request-url"]) } } + + /** + * A barrier defined through MaD. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["transmission", "request-url"]) } + } } diff --git a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll index a86ee506dfa9..a5933bc74b1c 100644 --- a/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/DisabledCertificateCheckExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.dataflow.internal.Node as Node @@ -21,6 +22,11 @@ module DisabledCertificateCheckExtensions { override string getSinkType() { result = "DisabledCertificateCheck" } } + /** + * A data flow barrier for disabled certificate check vulnerabilities. + */ + abstract class Barrier extends DataFlow::Node { } + /** * A sink for disabled certificate check vulnerabilities from model data. */ @@ -42,4 +48,11 @@ module DisabledCertificateCheckExtensions { ) } } + + /** + * A barrier for disabled certificate check vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "disable-certificate") } + } } diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 9bdfc53971e3..ffef3658d582 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -130,6 +131,15 @@ module HardcodedCryptographicValue { override CryptographicValueKind getKind() { result = kind } } + /** + * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. + */ + private class ModelsAsDataBarrier extends Barrier { + CryptographicValueKind kind; + + ModelsAsDataBarrier() { barrierNode(this, "credentials-" + kind) } + } + /** * A call to `getrandom` that is a barrier. */ diff --git a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll index 87d37d6b85b4..bd74dcb8728b 100644 --- a/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/InsecureCookieExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSource private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -48,6 +49,13 @@ module InsecureCookie { ModelsAsDataSink() { sinkNode(this, "cookie-use") } } + /** + * A barrier for insecure cookie vulnerabilities from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "cookie-use") } + } + /** * Holds if a models-as-data optional barrier for cookies is specified for `summaryNode`, * with arguments `attrib` (`secure` or `partitioned`) and `arg` (argument index). For example, diff --git a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll index 31403b625f92..40d113623554 100644 --- a/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/LogInjectionExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module LogInjection { ModelsAsDataSink() { sinkNode(this, "log-injection") } } + /** + * A barrier for log-injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "log-injection") } + } + /** * A barrier for log injection vulnerabilities for nodes whose type is a * numeric type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll index 1822baff6448..d5b75258ad42 100644 --- a/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/RequestForgeryExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.dataflow.FlowSource private import codeql.rust.Concepts @@ -46,4 +47,11 @@ module RequestForgery { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for request forgery from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll index f36ab264987a..de2622974f6f 100644 --- a/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -53,12 +54,19 @@ module SqlInjection { } /** - * A sink for sql-injection from model data. + * A sink for SQL injection from model data. */ private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "sql-injection") } } + /** + * A barrier for SQL injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "sql-injection") } + } + /** * A barrier for SQL injection vulnerabilities for nodes whose type is a numeric * type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll index ccf3736ceb4a..2bd009909f6d 100644 --- a/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll @@ -47,6 +47,11 @@ module TaintedPath { private class ModelsAsDataSinks extends Sink { ModelsAsDataSinks() { sinkNode(this, "path-injection") } } + + /** A barrier for path-injection from model data. */ + private class ModelsAsDataBarriers extends Barrier { + ModelsAsDataBarriers() { barrierNode(this, "path-injection") } + } } private predicate sanitizerGuard(AstNode g, Expr e, boolean branch) { diff --git a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll index c6251563ea6f..f0c0bed00097 100644 --- a/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UncontrolledAllocationSizeExtensions.qll @@ -6,6 +6,7 @@ import rust private import codeql.rust.Concepts private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink /** @@ -32,6 +33,13 @@ module UncontrolledAllocationSize { ModelsAsDataSink() { sinkNode(this, ["alloc-size", "alloc-layout"]) } } + /** + * A barrier for uncontrolled allocation size from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, ["alloc-size", "alloc-layout"]) } + } + /** * A barrier for uncontrolled allocation size that is an upper bound check / guard. */ diff --git a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll index 076ed42edfbb..f4dd5a1e1a85 100644 --- a/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/UseOfHttpExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts @@ -59,4 +60,11 @@ module UseOfHttp { private class ModelsAsDataSink extends Sink { ModelsAsDataSink() { sinkNode(this, "request-url") } } + + /** + * A barrier for use of HTTP URLs from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "request-url") } + } } diff --git a/rust/ql/lib/codeql/rust/security/XssExtensions.qll b/rust/ql/lib/codeql/rust/security/XssExtensions.qll index 97318ff81737..74ed161acb09 100644 --- a/rust/ql/lib/codeql/rust/security/XssExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/XssExtensions.qll @@ -5,6 +5,7 @@ import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.util.Unit @@ -44,6 +45,13 @@ module Xss { ModelsAsDataSink() { sinkNode(this, "html-injection") } } + /** + * A barrier for XSS from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "html-injection") } + } + /** * A barrier for XSS vulnerabilities for nodes whose type is a * numeric or boolean type, which is unlikely to expose any vulnerability. diff --git a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll index 7cb0dc47c9f3..3f1dbbafb7d6 100644 --- a/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll @@ -6,6 +6,7 @@ private import codeql.util.Unit private import rust private import codeql.rust.dataflow.DataFlow +private import codeql.rust.dataflow.FlowBarrier private import codeql.rust.dataflow.FlowSink private import codeql.rust.Concepts private import codeql.rust.security.Barriers as Barriers @@ -69,6 +70,13 @@ module RegexInjection { ModelsAsDataSink() { sinkNode(this, "regex-use") } } + /** + * A barrier for regular expression injection from model data. + */ + private class ModelsAsDataBarrier extends Barrier { + ModelsAsDataBarrier() { barrierNode(this, "regex-use") } + } + /** * An escape barrier for regular expression injection vulnerabilities. */ diff --git a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql index ae22a3c9d2c0..3e978e2934b6 100644 --- a/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql +++ b/rust/ql/src/queries/security/CWE-295/DisabledCertificateCheck.ql @@ -33,6 +33,8 @@ module DisabledCertificateCheckConfig implements DataFlow::ConfigSig { predicate isSink(DataFlow::Node node) { node instanceof Sink } + predicate isBarrier(DataFlow::Node node) { node instanceof Barrier } + predicate observeDiffInformedIncrementalMode() { any() } } From 93231794ee64b8c4788d6077490cb762a193cea5 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 24 Mar 2026 10:39:05 +0000 Subject: [PATCH 2/5] Document that MaD barriers for hardcoded credentials apply to all kinds --- .../rust/security/HardcodedCryptographicValueExtensions.qll | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index ffef3658d582..70799e39d589 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -133,6 +133,9 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. + * + * Note that a sanitizer with kind `credentials-key` will sanitize flow to + * all sinks, not just sinks with the same kind. */ private class ModelsAsDataBarrier extends Barrier { CryptographicValueKind kind; From 7e6319d6484c107113b1ac1b7056c7ee25fb8e74 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 24 Mar 2026 10:39:32 +0000 Subject: [PATCH 3/5] Remove unused field --- .../rust/security/HardcodedCryptographicValueExtensions.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 70799e39d589..144828724433 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -138,9 +138,7 @@ module HardcodedCryptographicValue { * all sinks, not just sinks with the same kind. */ private class ModelsAsDataBarrier extends Barrier { - CryptographicValueKind kind; - - ModelsAsDataBarrier() { barrierNode(this, "credentials-" + kind) } + ModelsAsDataBarrier() { exists(string kind | barrierNode(this, "credentials-" + kind)) } } /** From bedfe1e7556da2fda49aa10e6fe6d23598ca29d3 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> Date: Tue, 24 Mar 2026 22:06:53 +0000 Subject: [PATCH 4/5] Apply suggestions from code review Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com> --- .../security/HardcodedCryptographicValueExtensions.qll | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 144828724433..7ac59c92c184 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -134,11 +134,12 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. * - * Note that a sanitizer with kind `credentials-key` will sanitize flow to - * all sinks, not just sinks with the same kind. + * Note that a barrier will block flow to all hard-coded cryptographic value + * sinks, regardless of the `kind` that is specified. For example a barrier of + * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. */ private class ModelsAsDataBarrier extends Barrier { - ModelsAsDataBarrier() { exists(string kind | barrierNode(this, "credentials-" + kind)) } + ModelsAsDataBarrier() { exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) } } /** From f25d7456da8067141c271899bcb8ac9c0cb82030 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Wed, 25 Mar 2026 10:05:04 +0000 Subject: [PATCH 5/5] Fix QL formatting --- .../security/HardcodedCryptographicValueExtensions.qll | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll index 7ac59c92c184..09e2505eb5c2 100644 --- a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll +++ b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll @@ -134,12 +134,14 @@ module HardcodedCryptographicValue { /** * An externally modeled barrier for hard-coded cryptographic value vulnerabilities. * - * Note that a barrier will block flow to all hard-coded cryptographic value - * sinks, regardless of the `kind` that is specified. For example a barrier of - * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. + * Note that a barrier will block flow to all hard-coded cryptographic value + * sinks, regardless of the `kind` that is specified. For example a barrier of + * kind `credentials-key` will block flow to a sink of kind `credentials-iv`. */ private class ModelsAsDataBarrier extends Barrier { - ModelsAsDataBarrier() { exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) } + ModelsAsDataBarrier() { + exists(CryptographicValueKind kind | barrierNode(this, "credentials-" + kind)) + } } /**