Rust: Define Rust queries and extensions more consistently.

Author: geoffw0

rust/ql/lib/codeql/rust/security/CleartextLoggingExtensions.qll

@@ -36,8 +36,10 @@ module CleartextLogging {
    */
   private class SensitiveDataAsSource extends Source instanceof SensitiveData { }
 
-  /** A sink for logging from model data. */
-  private class ModelsAsDataSinks extends Sink {
-    ModelsAsDataSinks() { exists(string s | sinkNode(this, s) and s.matches("log-injection%")) }
+  /**
+   * A sink for logging from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { exists(string s | sinkNode(this, s) and s.matches("log-injection%")) }
   }
 }

rust/ql/lib/codeql/rust/security/CleartextTransmissionExtensions.qll

@@ -10,32 +10,48 @@ private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 
 /**
- * A data flow sink for cleartext transmission vulnerabilities. That is,
- * a `DataFlow::Node` of something that is transmitted over a network.
+ * Provides default sources, sinks and barriers for detecting cleartext transmission
+ * vulnerabilities, as well as extension points for adding your own.
  */
-abstract class CleartextTransmissionSink extends QuerySink::Range {
-  override string getSinkType() { result = "CleartextTransmission" }
-}
+module CleartextTransmission {
+  /**
+   * A data flow source for cleartext transmission vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
 
-/**
- * A barrier for cleartext transmission vulnerabilities.
- */
-abstract class CleartextTransmissionBarrier extends DataFlow::Node { }
+  /**
+   * A data flow sink for cleartext transmission vulnerabilities. That is,
+   * a `DataFlow::Node` of something that is transmitted over a network.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "CleartextTransmission" }
+  }
 
-/**
- * A unit class for adding additional flow steps.
- */
-class CleartextTransmissionAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a flow
-   * step for paths related to cleartext transmission vulnerabilities.
+   * A barrier for cleartext transmission vulnerabilities.
    */
-  abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
-}
+  abstract class Barrier extends DataFlow::Node { }
 
-/**
- * A sink defined through MaD.
- */
-private class MadCleartextTransmissionSink extends CleartextTransmissionSink {
-  MadCleartextTransmissionSink() { sinkNode(this, "transmission") }
+  /**
+   * A unit class for adding additional flow steps.
+   */
+  class AdditionalFlowStep extends Unit {
+    /**
+     * Holds if the step from `node1` to `node2` should be considered a flow
+     * step for paths related to cleartext transmission vulnerabilities.
+     */
+    abstract predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo);
+  }
+
+  /**
+   * Sensitive data, considered as a flow source.
+   */
+  private class SensitiveDataAsSource extends Source instanceof SensitiveData { }
+
+  /**
+   * A sink defined through MaD.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "transmission") }
+  }
 }

rust/ql/lib/codeql/rust/security/SqlInjectionExtensions.qll

@@ -51,8 +51,10 @@ module SqlInjection {
     SqlExecutionAsSink() { this = any(SqlExecution e).getSql() }
   }
 
-  /** A sink for sql-injection from model data. */
-  private class ModelsAsDataSinks extends Sink {
-    ModelsAsDataSinks() { sinkNode(this, "sql-injection") }
+  /**
+   * A sink for sql-injection from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "sql-injection") }
   }
 }

rust/ql/lib/codeql/rust/security/regex/RegexInjectionExtensions.qll

@@ -11,60 +11,71 @@ private import codeql.rust.dataflow.FlowSink
 private import codeql.rust.Concepts
 
 /**
- * A data flow sink for regular expression injection vulnerabilities.
+ * Provides default sources, sinks and barriers for detecting regular expression
+ * injection vulnerabilities, as well as extension points for adding your own.
  */
-abstract class RegexInjectionSink extends QuerySink::Range {
-  override string getSinkType() { result = "RegexInjection" }
-}
+module RegexInjection {
+  /**
+   * A data flow sink for regular expression injection vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "RegexInjection" }
+  }
 
-/**
- * A barrier for regular expression injection vulnerabilities.
- */
-abstract class RegexInjectionBarrier extends DataFlow::Node { }
+  /**
+   * A barrier for regular expression injection vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
 
-/** A sink for `a` in `Regex::new(a)` when `a` is not a literal. */
-private class NewRegexInjectionSink extends RegexInjectionSink {
-  NewRegexInjectionSink() {
-    exists(CallExprCfgNode call, PathExpr path |
-      path = call.getFunction().getExpr() and
-      path.getResolvedCrateOrigin() = "repo:https://github.com/rust-lang/regex:regex" and
-      path.getResolvedPath() = "<crate::regex::string::Regex>::new" and
-      this.asExpr() = call.getArgument(0) and
-      not this.asExpr() instanceof LiteralExprCfgNode
-    )
+  /**
+   * A sink for `a` in `Regex::new(a)` when `a` is not a literal.
+   */
+  private class NewSink extends Sink {
+    NewSink() {
+      exists(CallExprCfgNode call, PathExpr path |
+        path = call.getFunction().getExpr() and
+        path.getResolvedCrateOrigin() = "repo:https://github.com/rust-lang/regex:regex" and
+        path.getResolvedPath() = "<crate::regex::string::Regex>::new" and
+        this.asExpr() = call.getArgument(0) and
+        not this.asExpr() instanceof LiteralExprCfgNode
+      )
+    }
   }
-}
 
-private class MadRegexInjectionSink extends RegexInjectionSink {
-  MadRegexInjectionSink() { sinkNode(this, "regex-use") }
-}
+  /**
+   * A sink for regular expression injection from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { sinkNode(this, "regex-use") }
+  }
 
-/**
- * A unit class for adding additional flow steps.
- */
-class RegexInjectionAdditionalFlowStep extends Unit {
   /**
-   * Holds if the step from `node1` to `node2` should be considered a flow
-   * step for paths related to regular expression injection vulnerabilities.
+   * A unit class for adding additional flow steps.
    */
-  abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
-}
+  class AdditionalFlowStep extends Unit {
+    /**
+     * Holds if the step from `node1` to `node2` should be considered a flow
+     * step for paths related to regular expression injection vulnerabilities.
+     */
+    abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
+  }
 
-/**
- * An escape barrier for regular expression injection vulnerabilities.
- */
-private class RegexInjectionDefaultBarrier extends RegexInjectionBarrier {
-  RegexInjectionDefaultBarrier() {
-    // A barrier is any call to a function named `escape`, in particular this
-    // makes calls to `regex::escape` a barrier.
-    this.asExpr()
-        .getExpr()
-        .(CallExpr)
-        .getFunction()
-        .(PathExpr)
-        .getPath()
-        .getSegment()
-        .getIdentifier()
-        .getText() = "escape"
+  /**
+   * An escape barrier for regular expression injection vulnerabilities.
+   */
+  private class DefaultBarrier extends Barrier {
+    DefaultBarrier() {
+      // A barrier is any call to a function named `escape`, in particular this
+      // makes calls to `regex::escape` a barrier.
+      this.asExpr()
+          .getExpr()
+          .(CallExpr)
+          .getFunction()
+          .(PathExpr)
+          .getPath()
+          .getSegment()
+          .getIdentifier()
+          .getText() = "escape"
+    }
   }
 }

rust/ql/src/queries/security/CWE-020/RegexInjection.ql

@@ -24,14 +24,16 @@ private import codeql.rust.security.regex.RegexInjectionExtensions
  * A taint configuration for detecting regular expression injection vulnerabilities.
  */
 module RegexInjectionConfig implements DataFlow::ConfigSig {
+  import RegexInjection
+
   predicate isSource(DataFlow::Node source) { source instanceof ActiveThreatModelSource }
 
-  predicate isSink(DataFlow::Node sink) { sink instanceof RegexInjectionSink }
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
-  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof RegexInjectionBarrier }
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(RegexInjectionAdditionalFlowStep s).step(nodeFrom, nodeTo)
+    any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 }
 

rust/ql/src/queries/security/CWE-089/SqlInjection.ql

@@ -20,11 +20,13 @@ import SqlInjectionFlow::PathGraph
  * A taint configuration for tainted data that reaches a SQL sink.
  */
 module SqlInjectionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof SqlInjection::Source }
+  import SqlInjection
 
-  predicate isSink(DataFlow::Node node) { node instanceof SqlInjection::Sink }
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
 
-  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof SqlInjection::Barrier }
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
 }
 
 module SqlInjectionFlow = TaintTracking::Global<SqlInjectionConfig>;

rust/ql/src/queries/security/CWE-311/CleartextTransmission.ql

@@ -22,14 +22,16 @@ import codeql.rust.security.CleartextTransmissionExtensions
  * transmitted over a network.
  */
 module CleartextTransmissionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof SensitiveData }
+  import CleartextTransmission
 
-  predicate isSink(DataFlow::Node node) { node instanceof CleartextTransmissionSink }
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
 
-  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof CleartextTransmissionBarrier }
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
 
   predicate isAdditionalFlowStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    any(CleartextTransmissionAdditionalFlowStep s).step(nodeFrom, nodeTo)
+    any(AdditionalFlowStep s).step(nodeFrom, nodeTo)
   }
 
   predicate isBarrierIn(DataFlow::Node node) {

rust/ql/test/query-tests/security/CWE-020/RegexInjectionSink.ql

@@ -1,4 +1,4 @@
 private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.security.regex.RegexInjectionExtensions
 
-query predicate regexInjectionSink(DataFlow::Node node) { node instanceof RegexInjectionSink }
+query predicate regexInjectionSink(DataFlow::Node node) { node instanceof RegexInjection::Sink }