Rust: Add support for MaD sources and sinks with access paths

Author: hvitved

rust/ql/lib/codeql/rust/dataflow/FlowSink.qll

@@ -0,0 +1,36 @@
+/** Provides classes and predicates for defining flow sinks. */
+
+private import rust
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowImpl as DataFlowImpl
+
+// import all instances below
+private module Sinks {
+  private import codeql.rust.Frameworks
+  private import codeql.rust.dataflow.internal.ModelsAsData
+}
+
+/** Provides the `Range` class used to define the extent of `FlowSink`. */
+module FlowSink {
+  /** A flow source. */
+  abstract class Range extends Impl::Public::SinkNode {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate isSink(
+      string input, string kind, Impl::Public::Provenance provenance, string model
+    ) {
+      this.isSink(input, kind) and provenance = "manual" and model = ""
+    }
+
+    /**
+     * Holds is this element is a flow sink of kind `kind`, where data
+     * flows in as described by `input`.
+     */
+    predicate isSink(string output, string kind) { none() }
+  }
+}
+
+final class FlowSink = FlowSink::Range;
+
+predicate sinkNode = DataFlowImpl::sinkNode/2;

rust/ql/lib/codeql/rust/dataflow/FlowSource.qll

@@ -0,0 +1,36 @@
+/** Provides classes and predicates for defining flow sources. */
+
+private import rust
+private import internal.FlowSummaryImpl as Impl
+private import internal.DataFlowImpl as DataFlowImpl
+
+// import all instances below
+private module Sources {
+  private import codeql.rust.Frameworks
+  private import codeql.rust.dataflow.internal.ModelsAsData
+}
+
+/** Provides the `Range` class used to define the extent of `FlowSource`. */
+module FlowSource {
+  /** A flow source. */
+  abstract class Range extends Impl::Public::SourceNode {
+    bindingset[this]
+    Range() { any() }
+
+    override predicate isSource(
+      string output, string kind, Impl::Public::Provenance provenance, string model
+    ) {
+      this.isSource(output, kind) and provenance = "manual" and model = ""
+    }
+
+    /**
+     * Holds is this element is a flow source of kind `kind`, where data
+     * flows out as described by `output`.
+     */
+    predicate isSource(string output, string kind) { none() }
+  }
+}
+
+final class FlowSource = FlowSource::Range;
+
+predicate sourceNode = DataFlowImpl::sourceNode/2;

rust/ql/lib/codeql/rust/dataflow/FlowSummary.qll

@@ -57,3 +57,5 @@ module SummarizedCallable {
 }
 
 final class SummarizedCallable = SummarizedCallable::Range;
+
+final class Provenance = Impl::Public::Provenance;

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -186,18 +186,49 @@ module Node {
   class FlowSummaryNode extends Node, TFlowSummaryNode {
     FlowSummaryImpl::Private::SummaryNode getSummaryNode() { this = TFlowSummaryNode(result) }
 
-    /** Gets the summarized callable that this node belongs to. */
+    /** Gets the summarized callable that this node belongs to, if any. */
     FlowSummaryImpl::Public::SummarizedCallable getSummarizedCallable() {
       result = this.getSummaryNode().getSummarizedCallable()
     }
 
-    override CfgScope getCfgScope() { none() }
+    /** Gets the source node that this node belongs to, if any */
+    FlowSummaryImpl::Public::SourceNode getSourceNode() {
+      result = this.getSummaryNode().getSourceNode()
+    }
+
+    /** Gets the sink node that this node belongs to, if any */
+    FlowSummaryImpl::Public::SinkNode getSinkNode() { result = this.getSummaryNode().getSinkNode() }
+
+    /** Holds is this node is a source node of kind `kind`. */
+    predicate isSource(string kind) {
+      this.getSummaryNode().(FlowSummaryImpl::Private::SourceOutputNode).isEntry(kind)
+    }
+
+    /** Holds is this node is a sink node of kind `kind`. */
+    predicate isSink(string kind) {
+      this.getSummaryNode().(FlowSummaryImpl::Private::SinkInputNode).isExit(kind)
+    }
+
+    override CfgScope getCfgScope() {
+      result = this.getSummaryNode().getSourceNode().getEnclosingCfgScope()
+      or
+      result = this.getSummaryNode().getSinkNode().getEnclosingCfgScope()
+    }
 
     override DataFlowCallable getEnclosingCallable() {
       result.asLibraryCallable() = this.getSummarizedCallable()
+      or
+      result.asCfgScope() = this.getCfgScope()
     }
 
-    override EmptyLocation getLocation() { any() }
+    override Location getLocation() {
+      exists(this.getSummarizedCallable()) and
+      result instanceof EmptyLocation
+      or
+      result = this.getSourceNode().getLocation()
+      or
+      result = this.getSinkNode().getLocation()
+    }
 
     override string toString() { result = this.getSummaryNode().toString() }
   }
@@ -526,13 +557,17 @@ private ExprCfgNode getALastEvalNode(ExprCfgNode e) {
 }
 
 module LocalFlow {
-  predicate flowSummaryLocalStep(
-    Node::FlowSummaryNode nodeFrom, Node::FlowSummaryNode nodeTo,
-    FlowSummaryImpl::Public::SummarizedCallable c, string model
-  ) {
-    FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom.getSummaryNode(),
-      nodeTo.getSummaryNode(), true, model) and
-    c = nodeFrom.getSummarizedCallable()
+  predicate flowSummaryLocalStep(Node nodeFrom, Node nodeTo, string model) {
+    exists(FlowSummaryImpl::Public::SummarizedCallable c |
+      FlowSummaryImpl::Private::Steps::summaryLocalStep(nodeFrom
+            .(Node::FlowSummaryNode)
+            .getSummaryNode(), nodeTo.(Node::FlowSummaryNode).getSummaryNode(), true, model) and
+      c = nodeFrom.(Node::FlowSummaryNode).getSummarizedCallable()
+    )
+    or
+    FlowSummaryImpl::Private::localSourceNodeStep(nodeFrom, nodeTo, model)
+    or
+    FlowSummaryImpl::Private::localSinkNodeStep(nodeFrom, nodeTo, model)
   }
 
   pragma[nomagic]
@@ -848,7 +883,7 @@ module RustDataFlow implements InputSig<Location> {
   predicate nodeIsHidden(Node node) {
     node instanceof Node::SsaNode
     or
-    node instanceof Node::FlowSummaryNode
+    node.(Node::FlowSummaryNode).getSummaryNode().isHidden()
     or
     node instanceof Node::CaptureNode
     or
@@ -864,6 +899,10 @@ module RustDataFlow implements InputSig<Location> {
       node.asExpr() = match.getScrutinee() or
       node.asExpr() = match.getArmPat(_)
     )
+    or
+    FlowSummaryImpl::Private::localSourceNodeStep(_, node, _)
+    or
+    FlowSummaryImpl::Private::localSinkNodeStep(node, _, _)
   }
 
   class DataFlowExpr = ExprCfgNode;
@@ -944,7 +983,7 @@ module RustDataFlow implements InputSig<Location> {
     ) and
     model = ""
     or
-    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, _, model)
+    LocalFlow::flowSummaryLocalStep(nodeFrom, nodeTo, model)
   }
 
   /**
@@ -1499,6 +1538,14 @@ private module Cached {
 
   cached
   newtype TContentSet = TSingletonContentSet(Content c)
+
+  /** Holds if `n` is a flow source of kind `kind`. */
+  cached
+  predicate sourceNode(Node n, string kind) { n.(Node::FlowSummaryNode).isSource(kind) }
+
+  /** Holds if `n` is a flow sink of kind `kind`. */
+  cached
+  predicate sinkNode(Node n, string kind) { n.(Node::FlowSummaryNode).isSink(kind) }
 }
 
 import Cached

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -9,8 +9,48 @@ private import codeql.rust.dataflow.internal.DataFlowImpl
 private import codeql.rust.dataflow.FlowSummary
 
 module Input implements InputSig<Location, RustDataFlow> {
+  private import codeql.rust.elements.internal.CallExprBaseImpl::Impl as CallExprBaseImpl
+
   class SummarizedCallableBase = string;
 
+  abstract private class SourceSinkBase extends AstNode {
+    /** Gets the associated call. */
+    abstract CallExprBase getCall();
+
+    /** Holds if the associated call resolves to `crate, path`. */
+    final predicate callResolvesTo(string crate, string path) {
+      exists(Resolvable r |
+        r = CallExprBaseImpl::getCallResolvable(this.getCall()) and
+        path = r.getResolvedPath()
+      |
+        crate = r.getResolvedCrateOrigin()
+        or
+        not r.hasResolvedCrateOrigin() and
+        crate = ""
+      )
+    }
+  }
+
+  abstract class SourceBase extends SourceSinkBase { }
+
+  abstract class SinkBase extends SourceSinkBase { }
+
+  private class CallExprFunction extends SourceBase, SinkBase {
+    private CallExpr call;
+
+    CallExprFunction() { this = call.getFunction() }
+
+    override CallExpr getCall() { result = call }
+  }
+
+  private class MethodCallExprNameRef extends SourceBase, SinkBase {
+    private MethodCallExpr call;
+
+    MethodCallExprNameRef() { this = call.getNameRef() }
+
+    override MethodCallExpr getCall() { result = call }
+  }
+
   RustDataFlow::ArgumentPosition callbackSelfParameterPosition() { none() }
 
   ReturnKind getStandardReturnValueKind() { result = TNormalReturnKind() }
@@ -92,6 +132,30 @@ module Private {
   import Impl::Private
 
   module Steps = Impl::Private::Steps<StepsInput>;
+
+  private import codeql.rust.dataflow.FlowSource
+  private import codeql.rust.dataflow.FlowSink
+
+  predicate localSourceNodeStep(Node::FlowSummaryNode nodeFrom, Node::ExprNode nodeTo, string model) {
+    exists(SummaryComponent sc, FlowSource source |
+      nodeFrom.getSummaryNode().(SourceOutputNode).isExit(source, sc, model) and
+      sc = SummaryComponent::return(_) and
+      nodeTo.asExpr().getExpr() = source.getCall()
+    )
+  }
+
+  predicate localSinkNodeStep(Node::ExprNode nodeFrom, Node::FlowSummaryNode nodeTo, string model) {
+    exists(CallExprBase call, Expr arg, SummaryComponent sc, FlowSink sink, ParameterPosition pos |
+      nodeFrom.asExpr().getExpr() = arg and
+      nodeTo.getSummaryNode().(SinkInputNode).isEntry(sink, sc, model) and
+      sc = SummaryComponent::argument(pos) and
+      call = sink.getCall()
+    |
+      arg = call.getArgList().getArg(pos.getPosition())
+      or
+      arg = call.(MethodCallExpr).getReceiver() and pos.isSelf()
+    )
+  }
 }
 
 module Public = Impl::Public;

rust/ql/lib/codeql/rust/dataflow/internal/ModelsAsData.qll

@@ -47,6 +47,8 @@
 
 private import rust
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.dataflow.FlowSink
 
 /**
  * Holds if in a call to the function with canonical path `path`, defined in the
@@ -138,3 +140,37 @@ private class SummarizedCallableFromModel extends SummarizedCallable::Range {
     )
   }
 }
+
+private class FlowSourceFromModel extends FlowSource::Range {
+  private string crate;
+  private string path;
+
+  FlowSourceFromModel() {
+    sourceModel(crate, path, _, _, _, _) and
+    this.callResolvesTo(crate, path)
+  }
+
+  override predicate isSource(string output, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      sourceModel(crate, path, output, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}
+
+private class FlowSinkFromModel extends FlowSink::Range {
+  private string crate;
+  private string path;
+
+  FlowSinkFromModel() {
+    sinkModel(crate, path, _, _, _, _) and
+    this.callResolvesTo(crate, path)
+  }
+
+  override predicate isSink(string input, string kind, Provenance provenance, string model) {
+    exists(QlBuiltins::ExtensionId madId |
+      sinkModel(crate, path, input, kind, provenance, madId) and
+      model = "MaD:" + madId.toString()
+    )
+  }
+}

rust/ql/lib/utils/test/InlineFlowTest.qll

@@ -27,6 +27,12 @@ private module FlowTestImpl implements InputSig<Location, RustDataFlow> {
   private string getSourceArgString(DataFlow::Node src) {
     defaultSource(src) and
     result = src.asExpr().(CallExprCfgNode).getArgument(0).toString()
+    or
+    sourceNode(src, _) and
+    exists(CallExprBase call |
+      call = src.(Node::FlowSummaryNode).getSourceNode().getCall() and
+      result = call.getArgList().getArg(0).toString()
+    )
   }
 
   bindingset[src, sink]