Rust: New Query rust/cleartext-storage-database

rust/ql/lib/codeql/rust/frameworks/sqlx.model.yml

@@ -0,0 +1,13 @@
+extensions:
+  - addsTo:
+      pack: codeql/rust-all
+      extensible: sinkModel
+    data:
+      - ["sqlx_core::query::query", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::query_as::query_as", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::query_with::query_with", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::query_as_with::query_as_with", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::query_scalar::query_scalar", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::query_scalar_with::query_scalar_with", "Argument[0]", "database-store", "manual"]
+      - ["sqlx_core::raw_sql::raw_sql", "Argument[0]", "database-store", "manual"]
+      - ["<_ as sqlx_core::executor::Executor>::execute", "Argument[0]", "database-store", "manual"]

rust/ql/lib/codeql/rust/security/CleartextStorageDatabaseExtensions.qll

@@ -0,0 +1,46 @@
+/**
+ * Provides classes and predicates for reasoning about cleartext storage
+ * of sensitive information in a database.
+ */
+
+import rust
+private import codeql.rust.dataflow.DataFlow
+private import codeql.rust.dataflow.internal.DataFlowImpl
+private import codeql.rust.security.SensitiveData
+private import codeql.rust.Concepts
+
+/**
+ * Provides default sources, sinks and barriers for detecting cleartext storage
+ * of sensitive information in a database, as well as extension points for
+ * adding your own.
+ */
+module CleartextStorageDatabase {
+  /**
+   * A data flow source for cleartext storage vulnerabilities.
+   */
+  abstract class Source extends DataFlow::Node { }
+
+  /**
+   * A data flow sink for cleartext storage vulnerabilities.
+   */
+  abstract class Sink extends QuerySink::Range {
+    override string getSinkType() { result = "CleartextStorageDatabase" }
+  }
+
+  /**
+   * A barrier for cleartext storage vulnerabilities.
+   */
+  abstract class Barrier extends DataFlow::Node { }
+
+  /**
+   * Sensitive data, considered as a flow source.
+   */
+  private class SensitiveDataAsSource extends Source instanceof SensitiveData { }
+
+  /**
+   * A sink for cleartext storage vulnerabilities from model data.
+   */
+  private class ModelsAsDataSink extends Sink {
+    ModelsAsDataSink() { exists(string s | sinkNode(this, s) and s.matches("database-store")) }
+  }
+}

rust/ql/src/queries/security/CWE-312/CleartextStorageDatabase.ql

@@ -0,0 +1,55 @@
+/**
+ * @name Cleartext storage of sensitive information in a database
+ * @description Storing sensitive information in a non-encrypted
+ *              database can expose it to an attacker.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity TODO
+ * @precision high
+ * @id rust/cleartext-storage-database
+ * @tags security
+ *       external/cwe/cwe-312
+ */
+
+import rust
+import codeql.rust.dataflow.DataFlow
+import codeql.rust.dataflow.TaintTracking
+import codeql.rust.security.CleartextStorageDatabaseExtensions
+
+/**
+ * A taint configuration from sensitive information to expressions that are
+ * stored in a database.
+ */
+module CleartextStorageDatabaseConfig implements DataFlow::ConfigSig {
+  import CleartextStorageDatabase
+
+  predicate isSource(DataFlow::Node node) { node instanceof Source }
+
+  predicate isSink(DataFlow::Node node) { node instanceof Sink }
+
+  predicate isBarrier(DataFlow::Node barrier) { barrier instanceof Barrier }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    // make sources barriers so that we only report the closest instance
+    isSource(node)
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // flow from `a` to `&a`
+    node2.asExpr().getExpr().(RefExpr).getExpr() = node1.asExpr().getExpr()
+  }
+
+  predicate observeDiffInformedIncrementalMode() { any() }
+}
+
+module CleartextStorageDatabaseFlow = TaintTracking::Global<CleartextStorageDatabaseConfig>;
+
+import CleartextStorageDatabaseFlow::PathGraph
+
+from
+  CleartextStorageDatabaseFlow::PathNode sourceNode, CleartextStorageDatabaseFlow::PathNode sinkNode
+where CleartextStorageDatabaseFlow::flowPath(sourceNode, sinkNode)
+select sinkNode, sourceNode, sinkNode,
+  "This operation stores '" + sinkNode.toString() +
+    "' in a database. It may contain unencrypted sensitive data from $@.", sourceNode,
+  sourceNode.getNode().toString()