Shared: Pass SummaryComponentStack to isSource and getSourceType

Author: paldepind

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -508,7 +508,8 @@ module RustDataFlow implements InputSig<Location> {
    */
   predicate jumpStep(Node node1, Node node2) {
     FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
-      node2.(FlowSummaryNode).getSummaryNode())
+      node2.(FlowSummaryNode).getSummaryNode()) or
+    FlowSummaryImpl::Private::Steps::sourceJumpStep(node1.(FlowSummaryNode).getSummaryNode(), node2)
   }
 
   pragma[nomagic]

rust/ql/lib/codeql/rust/dataflow/internal/FlowSummaryImpl.qll

@@ -6,7 +6,10 @@ private import rust
 private import codeql.dataflow.internal.FlowSummaryImpl
 private import codeql.dataflow.internal.AccessPathSyntax as AccessPath
 private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.internal.PathResolution
 private import codeql.rust.dataflow.FlowSummary
+private import codeql.rust.dataflow.Ssa
+private import codeql.rust.controlflow.CfgNodes
 private import Content
 
 module Input implements InputSig<Location, RustDataFlow> {
@@ -133,16 +136,44 @@ private module StepsInput implements Impl::Private::StepsInputSig {
     result.asCallCfgNode().getCall().getStaticTarget() = sc
   }
 
-  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
-    sc = Impl::Private::SummaryComponent::return(_) and
+  /** Gets the argument of `source` described by `sc`, if any. */
+  private Expr getSourceNodeArgument(Input::SourceBase source, Impl::Private::SummaryComponent sc) {
+    exists(ArgumentPosition pos |
+      sc = Impl::Private::SummaryComponent::argument(pos) and
+      result = pos.getArgument(source.getCall())
+    )
+  }
+
+  /** Get the callable that `expr` refers to. */
+  private Callable getCallable(Expr expr) {
+    result = resolvePath(expr.(PathExpr).getPath()).(Function)
+    or
+    result = expr.(ClosureExpr)
+    or
+    // The expression is an SSA read of an assignment of a closure
+    exists(Ssa::Definition def, ExprCfgNode value |
+      def.getARead().getAstNode() = expr and
+      def.getAnUltimateDefinition().(Ssa::WriteDefinition).assigns(value) and
+      result = value.getExpr().(ClosureExpr)
+    )
+  }
+
+  RustDataFlow::DataFlowCallable getSourceNodeEnclosingCallable(Input::SourceBase source) {
+    result.asCfgScope() = source.getEnclosingCfgScope()
+  }
+
+  RustDataFlow::Node getSourceNode(Input::SourceBase source, Impl::Private::SummaryComponentStack s) {
+    s.head() = Impl::Private::SummaryComponent::return(_) and
     result.asExpr().getExpr() = source.getCall()
     or
-    exists(CallExprBase call, Expr arg, ArgumentPosition pos |
-      result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() = arg and
-      sc = Impl::Private::SummaryComponent::argument(pos) and
-      call = source.getCall() and
-      arg = pos.getArgument(call)
+    exists(ArgumentPosition pos, Expr arg |
+      s.head() = Impl::Private::SummaryComponent::parameter(pos) and
+      arg = getSourceNodeArgument(source, s.tail().head()) and
+      result.asParameter() = getCallable(arg).getParam(pos.getPosition())
     )
+    or
+    result.(RustDataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() =
+      getSourceNodeArgument(source, s.head())
   }
 
   RustDataFlow::Node getSinkNode(Input::SinkBase sink, Impl::Private::SummaryComponent sc) {

rust/ql/test/library-tests/dataflow/models/main.rs

@@ -258,20 +258,20 @@ mod source_into_function {
     }
 
     fn test_source_into_function() {
-        let a = |a| sink(a); // $ MISSING: hasValueFlow=1
+        let a = |a| sink(a); // $ hasValueFlow=1
         pass_source(1, a);
 
         pass_source(2, |a| {
-            sink(a); // $ MISSING: hasValueFlow=2
+            sink(a); // $ hasValueFlow=2
         });
 
         fn f(a: i64) {
-            sink(a) // $ MISSING: hasValueFlow=3
+            sink(a) // $ hasValueFlow=3
         }
         pass_source(3, f);
 
         pass_source(4, async move |a| {
-            sink(a); // $ MISSING: hasValueFlow=4
+            sink(a); // $ hasValueFlow=4
         });
     }
 }

rust/ql/test/library-tests/dataflow/models/models.expected

@@ -241,15 +241,15 @@ mod warp_test {
         let map_route =
             warp::path::param().map(|a: String| // $ Alert[rust/summary/taint-sources]
             {
-            sink(a); // $ MISSING: hasTaintFlow
+            sink(a); // $ hasTaintFlow
 
             "".to_string()
         });
 
         // A route with parameter and `then`
         let then_route = warp::path::param().then( // $ Alert[rust/summary/taint-sources]
             async move |a: String| {
-                sink(a); // $ MISSING: hasTaintFlow
+                sink(a); // $ hasTaintFlow
 
                 "".to_string()
             },
@@ -260,7 +260,7 @@ mod warp_test {
             async move | id: u64 |
             {
             if id != 0 {
-                sink(id); // $ MISSING: hasTaintFlow
+                sink(id); // $ hasTaintFlow
                 Ok("".to_string())
             } else {
                 Err(warp::reject::not_found())
@@ -272,7 +272,7 @@ mod warp_test {
         let path_and_map_route = warp::path("1").and(warp::path::param()).map( // $ Alert[rust/summary/taint-sources] 
             | a: String |
             {
-                sink(a); // $ MISSING: hasTaintFlow
+                sink(a); // $ hasTaintFlow
 
                 "".to_string()
              },

rust/ql/test/library-tests/dataflow/sources/InlineFlow.expected

@@ -8,6 +8,8 @@
 | request_forgery_tests.rs:31:29:31:40 | ...::get | request_forgery_tests.rs:5:29:5:36 | user_url | request_forgery_tests.rs:31:29:31:40 | ...::get | The URL of this request depends on a $@. | request_forgery_tests.rs:5:29:5:36 | user_url | user-provided value |
 | request_forgery_tests.rs:37:37:37:48 | ...::get | request_forgery_tests.rs:5:29:5:36 | user_url | request_forgery_tests.rs:37:37:37:48 | ...::get | The URL of this request depends on a $@. | request_forgery_tests.rs:5:29:5:36 | user_url | user-provided value |
 | request_forgery_tests.rs:37:37:37:48 | ...::get | request_forgery_tests.rs:5:29:5:36 | user_url | request_forgery_tests.rs:37:37:37:48 | ...::get | The URL of this request depends on a $@. | request_forgery_tests.rs:5:29:5:36 | user_url | user-provided value |
+| request_forgery_tests.rs:68:28:68:39 | ...::get | request_forgery_tests.rs:65:33:65:40 | and_then | request_forgery_tests.rs:68:28:68:39 | ...::get | The URL of this request depends on a $@. | request_forgery_tests.rs:65:33:65:40 | and_then | user-provided value |
+| request_forgery_tests.rs:68:28:68:39 | ...::get | request_forgery_tests.rs:65:33:65:40 | and_then | request_forgery_tests.rs:68:28:68:39 | ...::get | The URL of this request depends on a $@. | request_forgery_tests.rs:65:33:65:40 | and_then | user-provided value |
 edges
 | request_forgery_tests.rs:4:5:4:14 | res | request_forgery_tests.rs:16:27:16:49 | { ... } | provenance |  |
 | request_forgery_tests.rs:4:5:4:14 | res | request_forgery_tests.rs:20:27:20:57 | { ... } | provenance |  |
@@ -28,22 +30,22 @@ edges
 | request_forgery_tests.rs:16:13:16:15 | url | request_forgery_tests.rs:17:39:17:41 | url | provenance |  |
 | request_forgery_tests.rs:16:27:16:49 | ...::format(...) | request_forgery_tests.rs:4:5:4:14 | res | provenance |  |
 | request_forgery_tests.rs:16:27:16:49 | ...::must_use(...) | request_forgery_tests.rs:16:13:16:15 | url | provenance |  |
-| request_forgery_tests.rs:16:27:16:49 | MacroExpr | request_forgery_tests.rs:16:27:16:49 | ...::format(...) | provenance | MaD:2 |
-| request_forgery_tests.rs:16:27:16:49 | { ... } | request_forgery_tests.rs:16:27:16:49 | ...::must_use(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:16:27:16:49 | MacroExpr | request_forgery_tests.rs:16:27:16:49 | ...::format(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:16:27:16:49 | { ... } | request_forgery_tests.rs:16:27:16:49 | ...::must_use(...) | provenance | MaD:4 |
 | request_forgery_tests.rs:17:38:17:41 | &url [&ref] | request_forgery_tests.rs:17:25:17:36 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | request_forgery_tests.rs:17:39:17:41 | url | request_forgery_tests.rs:17:38:17:41 | &url [&ref] | provenance |  |
 | request_forgery_tests.rs:20:13:20:15 | url | request_forgery_tests.rs:21:39:21:41 | url | provenance |  |
 | request_forgery_tests.rs:20:27:20:57 | ...::format(...) | request_forgery_tests.rs:4:5:4:14 | res | provenance |  |
 | request_forgery_tests.rs:20:27:20:57 | ...::must_use(...) | request_forgery_tests.rs:20:13:20:15 | url | provenance |  |
-| request_forgery_tests.rs:20:27:20:57 | MacroExpr | request_forgery_tests.rs:20:27:20:57 | ...::format(...) | provenance | MaD:2 |
-| request_forgery_tests.rs:20:27:20:57 | { ... } | request_forgery_tests.rs:20:27:20:57 | ...::must_use(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:20:27:20:57 | MacroExpr | request_forgery_tests.rs:20:27:20:57 | ...::format(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:20:27:20:57 | { ... } | request_forgery_tests.rs:20:27:20:57 | ...::must_use(...) | provenance | MaD:4 |
 | request_forgery_tests.rs:21:38:21:41 | &url [&ref] | request_forgery_tests.rs:21:25:21:36 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | request_forgery_tests.rs:21:39:21:41 | url | request_forgery_tests.rs:21:38:21:41 | &url [&ref] | provenance |  |
 | request_forgery_tests.rs:24:13:24:15 | url | request_forgery_tests.rs:25:39:25:41 | url | provenance |  |
 | request_forgery_tests.rs:24:27:24:70 | ...::format(...) | request_forgery_tests.rs:4:5:4:14 | res | provenance |  |
 | request_forgery_tests.rs:24:27:24:70 | ...::must_use(...) | request_forgery_tests.rs:24:13:24:15 | url | provenance |  |
-| request_forgery_tests.rs:24:27:24:70 | MacroExpr | request_forgery_tests.rs:24:27:24:70 | ...::format(...) | provenance | MaD:2 |
-| request_forgery_tests.rs:24:27:24:70 | { ... } | request_forgery_tests.rs:24:27:24:70 | ...::must_use(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:24:27:24:70 | MacroExpr | request_forgery_tests.rs:24:27:24:70 | ...::format(...) | provenance | MaD:3 |
+| request_forgery_tests.rs:24:27:24:70 | { ... } | request_forgery_tests.rs:24:27:24:70 | ...::must_use(...) | provenance | MaD:4 |
 | request_forgery_tests.rs:25:38:25:41 | &url [&ref] | request_forgery_tests.rs:25:25:25:36 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | request_forgery_tests.rs:25:39:25:41 | url | request_forgery_tests.rs:25:38:25:41 | &url [&ref] | provenance |  |
 | request_forgery_tests.rs:31:42:31:50 | &user_url [&ref] | request_forgery_tests.rs:31:29:31:40 | ...::get | provenance | MaD:1 Sink:MaD:1 |
@@ -54,10 +56,19 @@ edges
 | request_forgery_tests.rs:37:50:37:58 | &user_url [&ref] | request_forgery_tests.rs:37:37:37:48 | ...::get | provenance | MaD:1 Sink:MaD:1 |
 | request_forgery_tests.rs:37:51:37:58 | user_url | request_forgery_tests.rs:37:50:37:58 | &user_url [&ref] | provenance |  |
 | request_forgery_tests.rs:37:51:37:58 | user_url | request_forgery_tests.rs:37:50:37:58 | &user_url [&ref] | provenance |  |
+| request_forgery_tests.rs:65:33:65:40 | and_then | request_forgery_tests.rs:65:49:65:57 | ...: String | provenance | Src:MaD:2  |
+| request_forgery_tests.rs:65:33:65:40 | and_then | request_forgery_tests.rs:65:49:65:57 | ...: String | provenance | Src:MaD:2  |
+| request_forgery_tests.rs:65:49:65:57 | ...: String | request_forgery_tests.rs:68:42:68:42 | a | provenance |  |
+| request_forgery_tests.rs:65:49:65:57 | ...: String | request_forgery_tests.rs:68:42:68:42 | a | provenance |  |
+| request_forgery_tests.rs:68:41:68:42 | &a [&ref] | request_forgery_tests.rs:68:28:68:39 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| request_forgery_tests.rs:68:41:68:42 | &a [&ref] | request_forgery_tests.rs:68:28:68:39 | ...::get | provenance | MaD:1 Sink:MaD:1 |
+| request_forgery_tests.rs:68:42:68:42 | a | request_forgery_tests.rs:68:41:68:42 | &a [&ref] | provenance |  |
+| request_forgery_tests.rs:68:42:68:42 | a | request_forgery_tests.rs:68:41:68:42 | &a [&ref] | provenance |  |
 models
 | 1 | Sink: reqwest::get; Argument[0]; request-url |
-| 2 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
-| 3 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
+| 2 | Source: <_ as warp::filter::Filter>::and_then; Argument[0].Parameter[0..7]; remote |
+| 3 | Summary: alloc::fmt::format; Argument[0]; ReturnValue; taint |
+| 4 | Summary: core::hint::must_use; Argument[0]; ReturnValue; value |
 nodes
 | request_forgery_tests.rs:4:5:4:14 | res | semmle.label | res |
 | request_forgery_tests.rs:4:5:4:14 | res | semmle.label | res |
@@ -106,4 +117,14 @@ nodes
 | request_forgery_tests.rs:37:50:37:58 | &user_url [&ref] | semmle.label | &user_url [&ref] |
 | request_forgery_tests.rs:37:51:37:58 | user_url | semmle.label | user_url |
 | request_forgery_tests.rs:37:51:37:58 | user_url | semmle.label | user_url |
+| request_forgery_tests.rs:65:33:65:40 | and_then | semmle.label | and_then |
+| request_forgery_tests.rs:65:33:65:40 | and_then | semmle.label | and_then |
+| request_forgery_tests.rs:65:49:65:57 | ...: String | semmle.label | ...: String |
+| request_forgery_tests.rs:65:49:65:57 | ...: String | semmle.label | ...: String |
+| request_forgery_tests.rs:68:28:68:39 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:68:28:68:39 | ...::get | semmle.label | ...::get |
+| request_forgery_tests.rs:68:41:68:42 | &a [&ref] | semmle.label | &a [&ref] |
+| request_forgery_tests.rs:68:41:68:42 | &a [&ref] | semmle.label | &a [&ref] |
+| request_forgery_tests.rs:68:42:68:42 | a | semmle.label | a |
+| request_forgery_tests.rs:68:42:68:42 | a | semmle.label | a |
 subpaths

rust/ql/test/library-tests/dataflow/sources/web_frameworks.rs

@@ -62,10 +62,10 @@ mod warp_test {
     async fn test_warp() {
         // A route with parameter and `and_then`
         let map_route =
-            warp::path::param().and_then(async |a: String| // $ MISSING: Source=a
+            warp::path::param().and_then(async |a: String| // $ Source=a
             {
 
-            let response = reqwest::get(&a).await; // $ MISSING: Alert[rust/request-forgery]=a
+            let response = reqwest::get(&a).await; // $ Alert[rust/request-forgery]=a
             match response {
                 Ok(resp) => Ok(resp.text().await.unwrap_or_default()),
                 Err(_err) => Err(warp::reject::not_found()),

rust/ql/test/query-tests/security/CWE-918/RequestForgery.expected

@@ -1206,12 +1206,12 @@ module Make<
        * Holds if this node is an exit node, i.e. after all stores have been performed.
        *
        * A local flow step should be added from this node to a data flow node representing
-       * `sc` inside `source`.
+       * `s` inside `source`.
        */
-      predicate isExit(SourceElement source, SummaryComponent sc, string model) {
+      predicate isExit(SourceElement source, SummaryComponentStack s, string model) {
         source = source_ and
         model = model_ and
-        state_.isSourceOutputState(source, TSingletonSummaryComponentStack(sc), _, model)
+        state_.isSourceOutputState(source, s, _, model)
       }
 
       override predicate isHidden() { not this.isEntry(_, _) }
@@ -1460,7 +1460,7 @@ module Make<
 
       DataFlowType getSyntheticGlobalType(SyntheticGlobal sg);
 
-      DataFlowType getSourceType(SourceBase source, SummaryComponent sc);
+      DataFlowType getSourceType(SourceBase source, SummaryComponentStack sc);
 
       DataFlowType getSinkType(SinkBase sink, SummaryComponent sc);
     }
@@ -1543,9 +1543,9 @@ module Make<
         )
         or
         exists(SourceElement source |
-          exists(SummaryComponent sc |
-            n.(SourceOutputNode).isExit(source, sc, _) and
-            result = getSourceType(source, sc)
+          exists(SummaryComponentStack s |
+            n.(SourceOutputNode).isExit(source, s, _) and
+            result = getSourceType(source, s)
           )
           or
           exists(SummaryComponentStack s, ContentSet cont |
@@ -1574,13 +1574,16 @@ module Make<
       /** Gets a call that targets summarized callable `sc`. */
       DataFlowCall getACall(SummarizedCallable sc);
 
+      /** Gets the enclosing callable of `source`. */
+      DataFlowCallable getSourceNodeEnclosingCallable(SourceBase source);
+
       /**
-       * Gets a data flow node corresponding to the `sc` part of `source`.
+       * Gets a data flow node corresponding to the `s` part of `source`.
        *
-       * `sc` is typically `ReturnValue` and the result is the node that
+       * `s` is typically `ReturnValue` and the result is the node that
        * represents the return value of `source`.
        */
-      Node getSourceNode(SourceBase source, SummaryComponent sc);
+      Node getSourceNode(SourceBase source, SummaryComponentStack s);
 
       /**
        * Gets a data flow node corresponding to the `sc` part of `sink`.
@@ -1622,13 +1625,20 @@ module Make<
         )
       }
 
-      predicate sourceLocalStep(SourceOutputNode nodeFrom, Node nodeTo, string model) {
-        exists(SummaryComponent sc, SourceElement source |
+      predicate sourceStep(SourceOutputNode nodeFrom, Node nodeTo, string model, boolean local) {
+        exists(SummaryComponentStack sc, SourceElement source |
           nodeFrom.isExit(source, sc, model) and
-          nodeTo = StepsInput::getSourceNode(source, sc)
+          nodeTo = StepsInput::getSourceNode(source, sc) and
+          if StepsInput::getSourceNodeEnclosingCallable(source) = getNodeEnclosingCallable(nodeTo)
+          then local = true
+          else local = false
         )
       }
 
+      predicate sourceLocalStep(SourceOutputNode nodeFrom, Node nodeTo, string model) {
+        sourceStep(nodeFrom, nodeTo, model, true)
+      }
+
       predicate sinkLocalStep(Node nodeFrom, SinkInputNode nodeTo, string model) {
         exists(SummaryComponent sc, SinkElement sink |
           nodeFrom = StepsInput::getSinkNode(sink, sc) and
@@ -1689,6 +1699,10 @@ module Make<
         )
       }
 
+      predicate sourceJumpStep(SourceOutputNode nodeFrom, Node nodeTo) {
+        sourceStep(nodeFrom, nodeTo, _, false)
+      }
+
       /**
        * Holds if values stored inside content `c` are cleared at `n`. `n` is a
        * synthesized summary node, so in order for values to be cleared at calls