Rust: Implement the query (with one source, one sink model).

geoffw0 · geoffw0 · commit 9fb00daeecb4 · 2025-03-06T17:48:39.000Z
diff --git a/rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml b/rust/ql/lib/codeql/rust/frameworks/rustcrypto/rustcrypto.model.yml
@@ -8,3 +8,4 @@ extensions:
       - ["repo:https://github.com/RustCrypto/traits:digest", "<_ as crate::digest::Digest>::chain_update", "Argument[0]", "hasher-input", "manual"]
       - ["repo:https://github.com/RustCrypto/traits:digest", "<_ as crate::digest::Digest>::digest", "Argument[0]", "hasher-input", "manual"]
       - ["repo:https://github.com/stainless-steel/md5:md5", "crate::compute", "Argument[0]", "hasher-input", "manual"]
+      - ["repo:https://github.com/RustCrypto/traits:crypto-common", "crate::KeyInit::new_from_slice", "Argument[0]", "credentials-key", "manual"]
diff --git a/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll b/rust/ql/lib/codeql/rust/security/HardcodedCryptographicValueExtensions.qll
@@ -0,0 +1,57 @@
+/**
+ * Provides classes and predicates for reasoning about hardcoded cryptographic value
+ * vulnerabilities.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.security.SensitiveData
+
+/**
+ * Provides default sources, sinks and barriers for detecting hardcoded cryptographic
+ * value vulnerabilities, as well as extension points for adding your own.
+ */
+module HardcodedCryptographicValue {
+  /**
+   * A data flow source for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Sink extends DataFlow::Node {
+    /**
+     * Gets the kind of credential this sink is interpreted as,
+     * for example "password", "key", "iv", "salt".
+     */
+    abstract string getKind();
+  }
+
+  /**
+   * A barrier for hardcoded cryptographic value vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * A literal, considered as a flow source.
+   */
+  private class LiteralSource extends Source {
+    LiteralSource() { this.asExpr().getExpr() instanceof LiteralExpr }
+  }
+
+  /**
+   * A sink for hardcoded cryptographic value from model data.
+   */
+  private class ModelsAsDataSinks extends Sink {
+    string kind;
+
+    ModelsAsDataSinks() {
+      kind = ["password", "key", "iv", "salt"] and
+      sinkNode(this, "credentials-" + kind)
+    }
+
+    override string getKind() { result = kind }
+  }
+}
diff --git a/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql b/rust/ql/src/queries/security/CWE-798/HardcodedCryptographicValue.ql
@@ -2,7 +2,7 @@
  * @name Hard-coded cryptographic value
  * @description Using hardcoded keys, passwords, salts or initialization
  *              vectors is not secure.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @security-severity TODO
  * @precision high
@@ -15,7 +15,36 @@
  */
 
 import rust
+import codeql.rust.security.HardcodedCryptographicValueExtensions
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.dataflow.internal.DataFlowImpl
 
-from Locatable e
-where none()
-select e, ""
+/**
+ * A taint-tracking configuration for hardcoded cryptographic value vulnerabilities.
+ */
+module HardcodedCryptographicValueConfig implements DataFlow::ConfigSig {
+  import HardcodedCryptographicValue
+
+  predicate isSource(DataFlow::Node source) { source instanceof Source }
+
+  predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) {
+    // flow out from reference content at sinks.
+    isSink(node) and
+    c.getAReadContent() instanceof ReferenceContent
+  }
+}
+
+module HardcodedCryptographicValueFlow = TaintTracking::Global<HardcodedCryptographicValueConfig>;
+
+import HardcodedCryptographicValueFlow::PathGraph
+
+from
+  HardcodedCryptographicValueFlow::PathNode source, HardcodedCryptographicValueFlow::PathNode sink
+where HardcodedCryptographicValueFlow::flowPath(source, sink)
+select source.getNode(), source, sink, "This hard-coded value is used as $@.", sink,
+  sink.getNode().(HardcodedCryptographicValueConfig::Sink).getKind()
diff --git a/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected b/rust/ql/test/query-tests/security/CWE-798/HardcodedCryptographicValue.expected
@@ -0,0 +1,16 @@
+#select
+| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:74:23:74:44 | ...::new_from_slice | This hard-coded value is used as $@. | test_cipher.rs:74:23:74:44 | ...::new_from_slice | key |
+edges
+| test_cipher.rs:73:9:73:14 | const2 [&ref, element] | test_cipher.rs:74:46:74:51 | const2 [&ref, element] | provenance |  |
+| test_cipher.rs:73:18:73:26 | &... [&ref, element] | test_cipher.rs:73:9:73:14 | const2 [&ref, element] | provenance |  |
+| test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | test_cipher.rs:73:18:73:26 | &... [&ref, element] | provenance |  |
+| test_cipher.rs:73:20:73:22 | 0u8 | test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | provenance |  |
+| test_cipher.rs:74:46:74:51 | const2 [&ref, element] | test_cipher.rs:74:23:74:44 | ...::new_from_slice | provenance | MaD:54 Sink:MaD:54 Sink:MaD:54 |
+nodes
+| test_cipher.rs:73:9:73:14 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+| test_cipher.rs:73:18:73:26 | &... [&ref, element] | semmle.label | &... [&ref, element] |
+| test_cipher.rs:73:19:73:26 | [0u8; 32] [element] | semmle.label | [0u8; 32] [element] |
+| test_cipher.rs:73:20:73:22 | 0u8 | semmle.label | 0u8 |
+| test_cipher.rs:74:23:74:44 | ...::new_from_slice | semmle.label | ...::new_from_slice |
+| test_cipher.rs:74:46:74:51 | const2 [&ref, element] | semmle.label | const2 [&ref, element] |
+subpaths
diff --git a/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-798/test_cipher.rs
@@ -70,8 +70,8 @@ fn test_block_cipher_aes(
     let aes_cipher3 = Aes256::new_from_slice(key256).unwrap();
     aes_cipher3.encrypt_block(block128.into());
 
-    let const2 = &[0u8;32]; // $ MISSING: Alert[rust/hardcoded-crytographic-value]
-    let aes_cipher4 = Aes256::new_from_slice(const2).unwrap();
+    let const2 = &[0u8;32]; // $ Alert[rust/hardcoded-crytographic-value]
+    let aes_cipher4 = Aes256::new_from_slice(const2).unwrap(); // $ Sink
     aes_cipher4.encrypt_block(block128.into());
 
     let aes_cipher5 = cfb_mode::Encryptor::<aes::Aes256>::new(key.into(), iv.into());
