Merge pull request #18943 from geoffw0/constcrypto

Rust: new query rust/hardcoded-crytographic-value

Author: geoffw0

rust/ql/integration-tests/query-suite/rust-code-scanning.qls.expected

@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql
 ql/rust/ql/src/queries/summary/LinesOfUserCode.ql

rust/ql/integration-tests/query-suite/rust-security-and-quality.qls.expected

@@ -16,6 +16,7 @@ ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-696/BadCtorInitialization.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql

rust/ql/integration-tests/query-suite/rust-security-extended.qls.expected

@@ -15,6 +15,7 @@ ql/rust/ql/src/queries/security/CWE-312/CleartextLogging.ql
 ql/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
 ql/rust/ql/src/queries/security/CWE-328/WeakSensitiveDataHashing.ql
 ql/rust/ql/src/queries/security/CWE-770/UncontrolledAllocationSize.ql
+ql/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessAfterLifetime.ql
 ql/rust/ql/src/queries/security/CWE-825/AccessInvalidPointer.ql
 ql/rust/ql/src/queries/summary/LinesOfCode.ql

rust/ql/lib/codeql/rust/frameworks/genericarray.model.yml

@@ -0,0 +1,9 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: summaryModel
+    data:
+      - ["<generic_array::GenericArray>::from_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::from_mut_slice", "Argument[0].Reference", "ReturnValue.Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::try_from_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]
+      - ["<generic_array::GenericArray>::try_from_mut_slice", "Argument[0].Reference", "ReturnValue.Field[crate::result::Result::Ok(0)].Reference", "value", "manual"]

rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml

@@ -8,3 +8,28 @@ extensions:
       - ["<_ as digest::digest::Digest>::chain_update", "Argument[0]", "hasher-input", "manual"]
       - ["<_ as digest::digest::Digest>::digest", "Argument[0]", "hasher-input", "manual"]
       - ["md5::compute", "Argument[0]", "hasher-input", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<_ as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<cipher::stream_wrapper::StreamCipherCoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new", "Argument[1]", "credentials-iv", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[0]", "credentials-key", "manual"]
+      - ["<digest::core_api::wrapper::CoreWrapper as crypto_common::KeyIvInit>::new_from_slice", "Argument[1]", "credentials-iv", "manual"]
+      - ["<_ as aead::Aead>::encrypt", "Argument[0]", "credentials-nonce", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -3,6 +3,12 @@ extensions:
       pack: codeql/rust-all
       extensible: summaryModel
     data:
+      # Conversions
+      - ["<core::alloc::layout::Layout>::align_to", "Argument[self].Element", "ReturnValue.Field[0,1,2].Reference.Element", "taint", "manual"]
+      - ["<_ as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<_ as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Element", "ReturnValue.Element", "taint", "manual"]
+      - ["<alloc::string::String as core::convert::Into>::into", "Argument[self].Reference.Element", "ReturnValue.Element", "taint", "manual"]
       # Iterator
       - ["<core::result::Result>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
       - ["<alloc::vec::Vec as value_trait::array::Array>::iter", "Argument[self].Element", "ReturnValue.Element", "value", "manual"]
@@ -59,6 +65,8 @@ extensions:
       pack: codeql/rust-all
       extensible: sourceModel
     data:
+      # Mem
+      - ["core::mem::zeroed", "ReturnValue.Element", "constant-source", "manual"]
       # Ptr
       - ["core::ptr::drop_in_place", "Argument[0]", "pointer-invalidate", "manual"]
       - ["core::ptr::dangling", "ReturnValue", "pointer-invalidate", "manual"]

rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll

@@ -5,7 +5,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
-private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.security.SensitiveData
 private import codeql.rust.Concepts
 

rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll

@@ -0,0 +1,109 @@
+/**
+ * Provides classes and predicates for reasoning about hard-coded cryptographic value
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.dataflow.FlowSink
+private import codeql.rust.Concepts
+private import codeql.rust.security.SensitiveData
+
+/**
+ * A kind of cryptographic value.
+ */
+class CryptographicValueKind extends string {
+  CryptographicValueKind() { this = ["password", "key", "iv", "nonce", "salt"] }
+
+  /**
+   * Gets a description of this value kind for user-facing messages.
+   */
+  string getDescription() {
+    this = "password" and result = "a password"
+    or
+    this = "key" and result = "a key"
+    or
+    this = "iv" and result = "an initialization vector"
+    or
+    this = "nonce" and result = "a nonce"
+    or
+    this = "salt" and result = "a salt"
+  }
+}
+
+/**
+ * Provides default sources, sinks and barriers for detecting hard-coded cryptographic
+ * value vulnerabilities, as well as extension points for adding your own.
+ */
+module HardcodedCryptographicValue {
+  /**
+   * A data flow source for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "HardcodedCryptographicValue" }
+
+    /**
+     * Gets the kind of credential this sink is interpreted as.
+     */
+    abstract CryptographicValueKind getKind();
+  }
+
+  /**
+   * A barrier for hard-coded cryptographic value vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A literal, considered as a flow source.
+   */
+  private class LiteralSource extends Source {
+    LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr }
+  }
+
+  /**
+   * An array initialized from a list of literals, considered as a single flow source. For example:
+   * ```
+   * `[0, 0, 0, 0]`
+   * ```
+   */
+  private class ArrayListSource extends Source {
+    ArrayListSource() { this.asExpr().getExpr().(ArrayListExpr).getExpr(_) instanceof LiteralExpr }
+  }
+
+  /**
+   * An externally modeled source for constant values.
+   */
+  private class ModeledSource extends Source {
+    ModeledSource() { sourceNode(this, "constant-source") }
+  }
+
+  /**
+   * An externally modeled sink for hard-coded cryptographic value vulnerabilities.
+   */
+  private class ModelsAsDataSinks extends Sink {
+    CryptographicValueKind kind;
+
+    ModelsAsDataSinks() { sinkNode(this, "credentials-" + kind) }
+
+    override CryptographicValueKind getKind() { result = kind }
+  }
+
+  /**
+   * A call to `getrandom` that is a barrier.
+   */
+  private class GetRandomBarrier extends Barrier {
+    GetRandomBarrier() {
+      exists(CallExprBase ce |
+        ce.getStaticTarget().(Addressable).getCanonicalPath() =
+          ["getrandom::fill", "getrandom::getrandom"] and
+        this.asExpr().getExpr().getParentNode*() = ce.getArgList().getArg(0)
+      )
+    }
+  }
+}

rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll

@@ -6,7 +6,7 @@
 
 import rust
 private import codeql.rust.dataflow.DataFlow
-private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 private import codeql.util.Unit
 

rust/ql/src/change-notes/2025-06-24-hardcoded-cryptographic-value.md

@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query, `rust/hardcoded-crytographic-value`, for detecting use of hardcoded keys, passwords, salts and initialization vectors.