Rust: tainted path implement basic sanitizers

Author: aibaars

rust/ql/lib/codeql/rust/Concepts.qll

@@ -8,6 +8,8 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.threatmodels.ThreatModels
 private import codeql.rust.Frameworks
 private import codeql.rust.dataflow.FlowSource
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
 
 /**
  * A data flow source for a specific threat-model.
@@ -264,3 +266,44 @@ module Cryptography {
 
   class CryptographicAlgorithm = SC::CryptographicAlgorithm;
 }
+
+/** Provides classes for modeling path-related APIs. */
+module Path {
+  /**
+   * A data-flow node that performs path normalization. This is often needed in order
+   * to safely access paths.
+   */
+  class PathNormalization extends DataFlow::Node instanceof PathNormalization::Range {
+    /** Gets an argument to this path normalization that is interpreted as a path. */
+    DataFlow::Node getPathArg() { result = super.getPathArg() }
+  }
+
+  /** Provides a class for modeling new path normalization APIs. */
+  module PathNormalization {
+    /**
+     * A data-flow node that performs path normalization. This is often needed in order
+     * to safely access paths.
+     */
+    abstract class Range extends DataFlow::Node {
+      /** Gets an argument to this path normalization that is interpreted as a path. */
+      abstract DataFlow::Node getPathArg();
+    }
+  }
+
+  class SafeAccessCheck extends DataFlow::ExprNode {
+    SafeAccessCheck() { this = DataFlow::BarrierGuard<safeAccessCheck/3>::getABarrierNode() }
+  }
+
+  private predicate safeAccessCheck(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) {
+    g.(SafeAccessCheck::Range).checks(node, branch)
+  }
+
+  /** Provides a class for modeling new path safety checks. */
+  module SafeAccessCheck {
+    /** A data-flow node that checks that a path is safe to access. */
+    abstract class Range extends CfgNodes::AstCfgNode {
+      /** Holds if this guard validates `node` upon evaluating to `branch`. */
+      abstract predicate checks(Cfg::CfgNode node, boolean branch);
+    }
+  }
+}

rust/ql/lib/codeql/rust/Frameworks.qll

@@ -6,3 +6,4 @@ private import codeql.rust.frameworks.rustcrypto.RustCrypto
 private import codeql.rust.frameworks.Poem
 private import codeql.rust.frameworks.Sqlx
 private import codeql.rust.frameworks.stdlib.Clone
+private import codeql.rust.frameworks.stdlib.Stdlib

rust/ql/lib/codeql/rust/frameworks/stdlib/Stdlib.qll

@@ -0,0 +1,34 @@
+private import rust
+private import codeql.rust.Concepts
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
+private import codeql.rust.dataflow.DataFlow
+
+/**
+ * A call to the `starts_with` method on a `Path`.
+ */
+private class StartswithCall extends Path::SafeAccessCheck::Range, CfgNodes::MethodCallExprCfgNode {
+  StartswithCall() {
+    this.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::starts_with"
+  }
+
+  override predicate checks(Cfg::CfgNode e, boolean branch) {
+    e = this.getReceiver() and
+    branch = true
+  }
+}
+
+/**
+ * A call to `Path.canonicalize`.
+ * See https://doc.rust-lang.org/std/path/struct.Path.html#method.canonicalize
+ */
+private class PathCanonicalizeCall extends Path::PathNormalization::Range {
+  CfgNodes::MethodCallExprCfgNode call;
+
+  PathCanonicalizeCall() {
+    call = this.asExpr() and
+    call.getAstNode().(Resolvable).getResolvedPath() = "<crate::path::Path>::canonicalize"
+  }
+
+  override DataFlow::Node getPathArg() { result.asExpr() = call.getReceiver() }
+}

rust/ql/lib/codeql/rust/frameworks/stdlib/fs.model.yml

@@ -16,3 +16,4 @@ extensions:
       - ["lang:std", "<crate::path::PathBuf as crate::convert::From>::from", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["lang:std", "<crate::path::Path>::join", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:std", "<crate::path::Path>::join", "Argument[0]", "ReturnValue", "taint", "manual"]
+      - ["lang:std", "<crate::path::Path>::canonicalize", "Argument[self]", "ReturnValue.Field[crate::result::Result::Ok(0)]", "taint", "manual"]

rust/ql/lib/codeql/rust/frameworks/stdlib/lang-core.model.yml

@@ -32,3 +32,6 @@ extensions:
       - ["lang:alloc", "<crate::string::String>::as_str", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:alloc", "<crate::string::String>::as_bytes", "Argument[self]", "ReturnValue", "taint", "manual"]
       - ["lang:alloc", "<_ as crate::string::ToString>::to_string", "Argument[self]", "ReturnValue", "taint", "manual"]
+      # Result
+      - ["lang:core", "<crate::result::Result>::unwrap", "Argument[self]", "ReturnValue", "taint", "manual"]
+

rust/ql/lib/codeql/rust/security/TaintedPathExtensions.qll

@@ -7,6 +7,8 @@ private import codeql.rust.dataflow.DataFlow
 private import codeql.rust.dataflow.TaintTracking
 private import codeql.rust.Concepts
 private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.controlflow.ControlFlowGraph as Cfg
+private import codeql.rust.controlflow.CfgNodes as CfgNodes
 
 /**
  * Provides default sources, sinks and barriers for detecting path injection
@@ -28,6 +30,10 @@ module TaintedPath {
    */
   abstract class Barrier extends DataFlow::Node { }
 
+  class SanitizerGuard extends DataFlow::Node {
+    SanitizerGuard() { this = DataFlow::BarrierGuard<sanitizerGuard/3>::getABarrierNode() }
+  }
+
   /**
    * An active threat-model source, considered as a flow source.
    */
@@ -38,3 +44,33 @@ module TaintedPath {
     ModelsAsDataSinks() { sinkNode(this, "path-injection") }
   }
 }
+
+private predicate sanitizerGuard(CfgNodes::AstCfgNode g, Cfg::CfgNode node, boolean branch) {
+  g.(SanitizerGuard::Range).checks(node, branch)
+}
+
+/** Provides a class for modeling new path safety checks. */
+module SanitizerGuard {
+  /** A data-flow node that checks that a path is safe to access. */
+  abstract class Range extends CfgNodes::AstCfgNode {
+    /** Holds if this guard validates `node` upon evaluating to `branch`. */
+    abstract predicate checks(Cfg::CfgNode node, boolean branch);
+  }
+}
+
+/**
+ * A check of the form `!strings.Contains(nd, "..")`, considered as a sanitizer guard for
+ * path traversal.
+ */
+private class DotDotCheck extends SanitizerGuard::Range, CfgNodes::MethodCallExprCfgNode {
+  DotDotCheck() {
+    this.getAstNode().(Resolvable).getResolvedPath() = "<str>::contains" and
+    this.getArgument(0).getAstNode().(LiteralExpr).getTextValue() =
+      ["\"..\"", "\"../\"", "\"..\\\""]
+  }
+
+  override predicate checks(Cfg::CfgNode e, boolean branch) {
+    e = this.getReceiver() and
+    branch = false
+  }
+}

rust/ql/src/queries/security/CWE-022/TaintedPath.ql

@@ -19,19 +19,72 @@ import codeql.rust.dataflow.DataFlow
 import codeql.rust.dataflow.TaintTracking
 import codeql.rust.security.TaintedPathExtensions
 import TaintedPathFlow::PathGraph
+private import codeql.rust.Concepts
+
+abstract private class NormalizationState extends string {
+  bindingset[this]
+  NormalizationState() { any() }
+}
+
+/** A state signifying that the file path has not been normalized. */
+class NotNormalized extends NormalizationState {
+  NotNormalized() { this = "NotNormalized" }
+}
+
+/** A state signifying that the file path has been normalized, but not checked. */
+class NormalizedUnchecked extends NormalizationState {
+  NormalizedUnchecked() { this = "NormalizedUnchecked" }
+}
 
 /**
- * A taint configuration for tainted data that reaches a file access sink.
+ * This configuration uses two flow states, `NotNormalized` and `NormalizedUnchecked`,
+ * to track the requirement that a file path must be first normalized and then checked
+ * before it is safe to use.
+ *
+ * At sources, paths are assumed not normalized. At normalization points, they change
+ * state to `NormalizedUnchecked` after which they can be made safe by an appropriate
+ * check of the prefix.
+ *
+ * Such checks are ineffective in the `NotNormalized` state.
  */
-module TaintedPathConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node node) { node instanceof TaintedPath::Source }
+module TaintedPathConfig implements DataFlow::StateConfigSig {
+  class FlowState = NormalizationState;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof TaintedPath::Source and state instanceof NotNormalized
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    sink instanceof TaintedPath::Sink and
+    (
+      state instanceof NotNormalized or
+      state instanceof NormalizedUnchecked
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    node instanceof TaintedPath::Barrier or node instanceof TaintedPath::SanitizerGuard
+  }
 
-  predicate isSink(DataFlow::Node node) { node instanceof TaintedPath::Sink }
+  predicate isBarrier(DataFlow::Node node, FlowState state) {
+    // Block `NotNormalized` paths here, since they change state to `NormalizedUnchecked`
+    node instanceof Path::PathNormalization and
+    state instanceof NotNormalized
+    or
+    node instanceof Path::SafeAccessCheck and
+    state instanceof NormalizedUnchecked
+  }
 
-  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof TaintedPath::Barrier }
+  predicate isAdditionalFlowStep(
+    DataFlow::Node nodeFrom, FlowState stateFrom, DataFlow::Node nodeTo, FlowState stateTo
+  ) {
+    nodeFrom = nodeTo.(Path::PathNormalization).getPathArg() and
+    stateFrom instanceof NotNormalized and
+    stateTo instanceof NormalizedUnchecked
+  }
 }
 
-module TaintedPathFlow = TaintTracking::Global<TaintedPathConfig>;
+module TaintedPathFlow = TaintTracking::GlobalWithState<TaintedPathConfig>;
 
 from TaintedPathFlow::PathNode source, TaintedPathFlow::PathNode sink
 where TaintedPathFlow::flowPath(source, sink)

rust/ql/test/library-tests/dataflow/local/DataFlowStep.expected

@@ -2165,6 +2165,7 @@ storeStep
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<crate::result::Result>::or_else | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<crate::result::Result>::or_else |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:core::_::<str>::parse | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:core::_::<str>::parse |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<&[u8] as crate::io::BufRead>::fill_buf |
+| file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::path::Path>::canonicalize | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::path::Path>::canonicalize |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout |
 | file://:0:0:0:0 | [summary] to write: ReturnValue.Field[crate::result::Result::Ok(0)] in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout_ms | Ok | file://:0:0:0:0 | [summary] to write: ReturnValue in lang:std::_::<crate::sync::poison::condvar::Condvar>::wait_timeout_ms |

rust/ql/test/query-tests/diagnostics/SummaryStats.expected

@@ -15,7 +15,7 @@
 | Macro calls - resolved | 8 |
 | Macro calls - total | 9 |
 | Macro calls - unresolved | 1 |
-| Taint edges - number of edges | 1674 |
+| Taint edges - number of edges | 1675 |
 | Taint reach - nodes tainted | 0 |
 | Taint reach - per million nodes | 0 |
 | Taint sinks - cryptographic operations | 0 |

rust/ql/test/query-tests/security/CWE-020/RegexInjection.expected

@@ -3,14 +3,14 @@
 edges
 | main.rs:4:9:4:16 | username | main.rs:5:25:5:44 | MacroExpr | provenance |  |
 | main.rs:4:20:4:32 | ...::var | main.rs:4:20:4:40 | ...::var(...) [Ok] | provenance | Src:MaD:62  |
-| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1597 |
+| main.rs:4:20:4:40 | ...::var(...) [Ok] | main.rs:4:20:4:66 | ... .unwrap_or(...) | provenance | MaD:1599 |
 | main.rs:4:20:4:66 | ... .unwrap_or(...) | main.rs:4:9:4:16 | username | provenance |  |
 | main.rs:5:9:5:13 | regex | main.rs:6:26:6:30 | regex | provenance |  |
 | main.rs:5:17:5:45 | res | main.rs:5:25:5:44 | { ... } | provenance |  |
 | main.rs:5:25:5:44 | ...::format(...) | main.rs:5:17:5:45 | res | provenance |  |
 | main.rs:5:25:5:44 | ...::must_use(...) | main.rs:5:9:5:13 | regex | provenance |  |
-| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:70 |
-| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3020 |
+| main.rs:5:25:5:44 | MacroExpr | main.rs:5:25:5:44 | ...::format(...) | provenance | MaD:71 |
+| main.rs:5:25:5:44 | { ... } | main.rs:5:25:5:44 | ...::must_use(...) | provenance | MaD:3022 |
 | main.rs:6:26:6:30 | regex | main.rs:6:25:6:30 | &regex | provenance |  |
 nodes
 | main.rs:4:9:4:16 | username | semmle.label | username |